"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "NEWS" between
dbus-1.13.16.tar.xz and dbus-1.13.18.tar.xz

About: D-Bus is an inter-process communication (IPC) system, allowing multiple, concurrently-running applications to communicate with one another. D-Bus supplies both a system daemon and a per-user-login-session daemon. Development version.

NEWS  (dbus-1.13.16.tar.xz):NEWS  (dbus-1.13.18.tar.xz)
dbus 1.13.18 (2020-07-02)
=========================
The “carnivorous border” release.
Maybe security fixes:
• On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
Other fixes:
• On Solaris and its derivatives, if a cmsg header is truncated, ensure
that we do not overrun the buffer used for fd-passing, even if the
kernel tells us to.
(dbus#304, dbus!165; Andy Fiddaman)
• When built with CMake, use GNUInstallDirs' special-cases for prefixes
/, /usr and /opt/*
(dbus!155, Ralf Habacker)
• When built with CMake on Linux, allow systemd-specific features to be
enabled, for feature parity with Autotools
(dbus!155, Ralf Habacker)
• When built with CMake, install the same example files as with Autotools
(dbus!155, Ralf Habacker)
• Correct the doc-comment for DBUS_ERROR_SPAWN_NO_MEMORY
(dbus!163, Marc-André Lureau)
dbus 1.13.16 (2020-06-02) dbus 1.13.16 (2020-06-02)
========================= =========================
The “ominous mushroom hat” release. The “ominous mushroom hat” release.
Denial of service fixes: Denial of service fixes:
• CVE-2020-12049: If a message contains more file descriptors than can • CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error. be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or Previously, a local attacker could cause the system dbus-daemon (or
 End of changes. 1 change blocks. 
0 lines changed or deleted 38 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)