Security update for dbus-1 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2736-1 Final 1 1 2016-11-05T10:09:08Z current 2016-11-05T10:09:08Z 2016-11-05T10:09:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dbus-1 This update for dbus-1 to version 1.8.22 fixes several issues. This security issue was fixed: - boo#1003898: Do not treat ActivationFailure message received from root-owned systemd name as a format string. These non-security issues were fixed: - boo#978477: Correctly reset timeouts for pending file descriptors - boo#980928: increase listen() backlog of AF_UNIX sockets to SOMAXCONN - Change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus. - Fix a memory leak when GetConnectionCredentials() succeeds (fdo#91008) - Ensure that dbus-monitor does not reply to messages intended for others (fdo#90952) - Add locking to DBusCounter's reference count and notify function (fdo#89297) - Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fdo#90312) - Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fdo#90021) - Correctly initialize all fields of DBusTypeReader (fdo#90021) - Fix some missing \n in verbose (debug log) messages (fdo#90004) - Clean up some memory leaks in test code (fdo#90021) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-11/msg00017.html E-Mail link for openSUSE-SU-2016:2736-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings dbus-1-1.8.22-4.39.1 dbus-1-devel-1.8.22-4.39.1 dbus-1-devel-32bit-1.8.22-4.39.1 dbus-1-devel-doc-1.8.22-4.39.1 dbus-1-x11-1.8.22-4.39.1 libdbus-1-3-1.8.22-4.39.1 libdbus-1-3-32bit-1.8.22-4.39.1 D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds. CVE-2015-0245 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-11/msg00017.html https://www.suse.com/security/cve/CVE-2015-0245.html CVE-2015-0245 https://bugzilla.suse.com/1003898 SUSE Bug 1003898 https://bugzilla.suse.com/916343 SUSE Bug 916343