992b106d1d
Fixes the following security issues: - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of Apple Information Security. For details, see the advisory: https://www.openwall.com/lists/oss-security/2019/06/11/2 Also contains a number of other smaller fixes, including fixes for memory leaks. For details, see NEWS: https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| .. | ||
| Config.in | ||
| S30dbus | ||
| dbus.hash | ||
| dbus.mk | ||