New changelog entries:
* REGRESSION FIX: some applications launched with the activation helper
may need DBUS_STARTER_ADDRESS. (LP: #1058343)
- debian/patches/87-CVE-2012-3524-regression-fix.patch: hardcode the
starter address to the default system bus address.
New changelog entries:
* SECURITY UPDATE: privilege escalation via unsanitized environment
- debian/patches/86-CVE-2012-3524.patch: Don't access environment
variables or run dbus-launch when setuid in configure.in,
dbus/dbus-keyring.c, dbus/dbus-sysdeps*
- CVE-2012-3524
New changelog entries:
* SECURITY UPDATE: denial of service via messages with non-native byte order
- debian/patches/85-CVE-2011-2200.patch: update dbus-marshal-header.c
to verify header->data byte order and header->byte_order match in
_dbus_header_byteswap()
- CVE-2011-2200
New changelog entries:
* SECURITY UPDATE: fix DoS with too deeply nested messages
- debian/patches/84-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
message variants. Backported from upstream.
- CVE-2010-4352
- LP: #688992
* debian/control: Build-Depends on libexpat1-dev instead of libexpat-dev
New changelog entries:
* SECURITY UPDATE: Signature spoofing via incorrect logic
- debian/patches/83-security-CVE-2009-1189.patch: fix logic in
dbus/dbus-marshal-validate.c and fix test in
dbus/dbus-marshal-validate-util.c.
- CVE-2009-1189