| Message ID | 20230625174707.1688088-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/dbus: security bump to version 1.2.28 | expand |
On 25/06/2023 19:47, Peter Korsgaard wrote: > Fixes the following security issues: > > - CVE-2023-34969: Fix an assertion failure in dbus-daemon when a privileged > Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or > similar) is active, and a message from the bus driver cannot be delivered > to a client connection due to <deny> rules or outgoing message quota. > This is a denial of service if triggered maliciously by a local attacker. > > - Fix an incorrect assertion that could be used to crash dbus-daemon or > other users of DBusServer prior to authentication, if libdbus was compiled > with assertions enabled. > > For details, see the NEWS file: > https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Arnout > --- > package/dbus/dbus.hash | 4 ++-- > package/dbus/dbus.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/dbus/dbus.hash b/package/dbus/dbus.hash > index 17c70004ba..0e48d4dafd 100644 > --- a/package/dbus/dbus.hash > +++ b/package/dbus/dbus.hash > @@ -1,7 +1,7 @@ > # Locally calculated after checking pgp signature > -# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz.asc > +# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.28.tar.gz.asc > # using key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F > -sha256 bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38 dbus-1.12.24.tar.gz > +sha256 9da1e3f2b73f75eec0a9e4509d64be43909d1f2853fe809528a0a53984d76420 dbus-1.12.28.tar.gz > > # Locally calculated > sha256 0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1 COPYING > diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk > index b3a79c431d..99d2c4301c 100644 > --- a/package/dbus/dbus.mk > +++ b/package/dbus/dbus.mk > @@ -6,7 +6,7 @@ > > # When updating dbus, check if there are changes in session.conf and > # system.conf, and update the versions in the dbus-broker package accordingly. > -DBUS_VERSION = 1.12.24 > +DBUS_VERSION = 1.12.28 > DBUS_SITE = https://dbus.freedesktop.org/releases/dbus > DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools) > DBUS_LICENSE_FILES = COPYING
diff --git a/package/dbus/dbus.hash b/package/dbus/dbus.hash index 17c70004ba..0e48d4dafd 100644 --- a/package/dbus/dbus.hash +++ b/package/dbus/dbus.hash @@ -1,7 +1,7 @@ # Locally calculated after checking pgp signature -# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz.asc +# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.28.tar.gz.asc # using key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F -sha256 bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38 dbus-1.12.24.tar.gz +sha256 9da1e3f2b73f75eec0a9e4509d64be43909d1f2853fe809528a0a53984d76420 dbus-1.12.28.tar.gz # Locally calculated sha256 0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1 COPYING diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk index b3a79c431d..99d2c4301c 100644 --- a/package/dbus/dbus.mk +++ b/package/dbus/dbus.mk @@ -6,7 +6,7 @@ # When updating dbus, check if there are changes in session.conf and # system.conf, and update the versions in the dbus-broker package accordingly. -DBUS_VERSION = 1.12.24 +DBUS_VERSION = 1.12.28 DBUS_SITE = https://dbus.freedesktop.org/releases/dbus DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools) DBUS_LICENSE_FILES = COPYING
Fixes the following security issues: - CVE-2023-34969: Fix an assertion failure in dbus-daemon when a privileged Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or similar) is active, and a message from the bus driver cannot be delivered to a client connection due to <deny> rules or outgoing message quota. This is a denial of service if triggered maliciously by a local attacker. - Fix an incorrect assertion that could be used to crash dbus-daemon or other users of DBusServer prior to authentication, if libdbus was compiled with assertions enabled. For details, see the NEWS file: https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/dbus/dbus.hash | 4 ++-- package/dbus/dbus.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)