[MacPorts] #46504: Update: dbus 1.8.14
#46504: Update: dbus 1.8.14 ----------------------------+-------------------------------- Reporter: mschamschula@… | Owner: macports-tickets@… Type: update | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Keywords: haspatch | Port: dbus ----------------------------+-------------------------------- dbus has been updated to version 1.8.14: {{{ The “40lb of roofing nails” release. Security hardening: • Do not allow calls to UpdateActivationEnvironment from uids other than the uid of the dbus-daemon. If a system service installs unsafe security policy rules that allow arbitrary method calls (such as CVE-2014-8148) then this prevents memory consumption and possible privilege escalation via UpdateActivationEnvironment. We believe that in practice, privilege escalation here is avoided by dbus-daemon-launch-helper sanitizing its environment; but it seems better to be safe. • Do not allow calls to UpdateActivationEnvironment or the Stats interface on object paths other than /org/freedesktop/DBus. Some system services install unsafe security policy rules that allow arbitrary method calls to any destination, method and interface with a specified object path; while less bad than allowing arbitrary method calls, these security policies are still harmful, since dbus-daemon normally offers the same API on all object paths and other system services might behave similarly. }}} -- Ticket URL: <https://trac.macports.org/ticket/46504> MacPorts <https://www.macports.org/> Ports system for OS X
#46504: Update: dbus 1.8.14 -----------------------------+------------------------ Reporter: mschamschula@… | Owner: mcalhoun@… Type: update | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: haspatch Port: dbus | -----------------------------+------------------------ Changes (by ryandesign@…): * cc: mcalhoun@… (removed) * owner: macports-tickets@… => mcalhoun@… -- Ticket URL: <https://trac.macports.org/ticket/46504#comment:1> MacPorts <https://www.macports.org/> Ports system for OS X
#46504: Update: dbus 1.8.14 -----------------------------+------------------------ Reporter: mschamschula@… | Owner: mcalhoun@… Type: update | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: | Keywords: haspatch Port: dbus | -----------------------------+------------------------ Comment (by mschamschula@…): In the meantime dbus has been updated to version 1.8.16: {{{ The “poorly concealed wrestlers” release. Security fixes: • Do not allow non-uid-0 processes to send forged ActivationFailure messages. On Linux systems with systemd activation, this would allow a local denial of service: unprivileged processes could flood the bus with these forged messages, winning the race with the actual service activation and causing an error reply to be sent back when service auto-activation was requested. This does not prevent the real service from being started, so it only works while the real service is not running. (CVE-2015-0245, fd.o #88811; Simon McVittie) }}} -- Ticket URL: <https://trac.macports.org/ticket/46504#comment:2> MacPorts <https://www.macports.org/> Ports system for OS X
#46504: Update: dbus 1.8.14 -----------------------------+------------------------ Reporter: mschamschula@… | Owner: mcalhoun@… Type: update | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: fixed | Keywords: haspatch Port: dbus | -----------------------------+------------------------ Changes (by snc@…): * status: new => closed * cc: scn@… (added) * resolution: => fixed Comment: r134498. -- Ticket URL: <https://trac.macports.org/ticket/46504#comment:3> MacPorts <https://www.macports.org/> Ports system for OS X
participants (1)
-
MacPorts