New changelog entries:
* Non-maintainer upload by the Security Team.
* Backport upstream patch to fix a possible call stack overflow and thus
denial of service, when processing messages with excessive nested variants.
This fix restricts the nesting level to 64 (52-CVE-2010-4352.patch).
New changelog entries:
* Non-maintainer upload by the Security Team.
* Backport upstream patch to fix a possible call stack overflow and thus
denial of service, when processing messages with excessive nested variants.
This fix restricts the nesting level to 64 (52-CVE-2010-4352.patch).
New changelog entries:
* debian/patches/52-CVE-2009-1189.patch
- Security: The _dbus_validate_signature_with_reason function
(dbus-marshal-validate.c) uses incorrect logic to validate a basic type,
which allows remote attackers to spoof a signature via a crafted key.
NOTE: this is due to an incorrect fix for CVE-2008-3834
Closes: #532720
Fixes: CVE-2009-1189
* Urgency high for the security fix.
New changelog entries:
* debian/patches/52-CVE-2009-1189.patch
- Security: The _dbus_validate_signature_with_reason function
(dbus-marshal-validate.c) uses incorrect logic to validate a basic type,
which allows remote attackers to spoof a signature via a crafted key.
NOTE: this is due to an incorrect fix for CVE-2008-3834
Closes: #532720
Fixes: CVE-2009-1189
* Urgency high for the security fix.
New changelog entries:
[ Sjoerd Simons ]
* debian/patches/CVE-2008-4311.patch:
+ Added, Fixes CVE-2008-4311. A mistake in the default configuration for
the system bus (system.conf) which made the default policy for both sent
and received messages effectively *allow*, and not deny as intended. This
patch fixes the send side permissions (Closes: #503532, #508032)
* Urgency high for the security fix
[ Simon McVittie ]
* Rename CVE-*.patch to prefix them with a sequence number so it's clear
what order they should apply in
* Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
signals
* debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
for commit IDs): add logging when permission to send a message is denied
* debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
with the logging patches applied
* Add myself to Uploaders
New changelog entries:
[ Sjoerd Simons ]
* debian/patches/CVE-2008-4311.patch:
+ Added, Fixes CVE-2008-4311. A mistake in the default configuration for
the system bus (system.conf) which made the default policy for both sent
and received messages effectively *allow*, and not deny as intended. This
patch fixes the send side permissions (Closes: #503532, #508032)
* Urgency high for the security fix
[ Simon McVittie ]
* Rename CVE-*.patch to prefix them with a sequence number so it's clear
what order they should apply in
* Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
signals
* debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
for commit IDs): add logging when permission to send a message is denied
* debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
with the logging patches applied
* Add myself to Uploaders