New changelog entries:
* SECURITY UPDATE: denial of service via large number of pending replies
- debian/patches/CVE-2014-3638.patch: reduce max_replies_per_connection
to 128 in bus/config-parser.c.
- CVE-2014-3638
* SECURITY UPDATE: denial of service via incomplete connections
- debian/patches/CVE-2014-3639.patch: reduce auth_timeout in
bus/config-parser.c, stop listening on DBusServer sockets when
reaching max_incomplete_connections in bus/bus.*, bus/connection.*,
dbus/dbus-server-protected.h, dbus/dbus-server.c, dbus/dbus-watch.*.
- CVE-2014-3639
New changelog entries:
* REGRESSION FIX: some applications launched with the activation helper
may need DBUS_STARTER_ADDRESS. (LP: #1058343)
- debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the
starter address to the default system bus address.
* REGRESSION FIX: unclean shutdown after dbus upgrade (LP: #740390)
- debian/libdbus-1-3.postinst: trigger an upstart re-exec before
shutdown or reboot so that it can safely unmount the root
filesystem.
New changelog entries:
* SECURITY UPDATE: privilege escalation via unsanitized environment
- debian/patches/CVE-2012-3524-dbus.patch: Don't access environment
variables or run dbus-launch when setuid in configure.in,
dbus/dbus-keyring.c, dbus/dbus-sysdeps*
- CVE-2012-3524
New changelog entries:
* SECURITY UPDATE: denial of service via messages with non-native byte order
- debian/patches/99-CVE-2011-2200.patch: update dbus-marshal-header.c
to verify header->data byte order and header->byte_order match in
_dbus_header_byteswap()
- CVE-2011-2200
New changelog entries:
* SECURITY UPDATE: fix DoS with too deeply nested messages
- debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic
message variants. Backported from upstream.
- CVE-2010-4352
- LP: #688992
New changelog entries:
* Add debian/dbus.links: provide a symlink for dbus-daemon-launch-helper's
old location in /usr, to provide a more stable upgrade from Hardy. This
can be dropped in Lucid+1. (LP: #551672)
New changelog entries:
* debian/dbus-Xsession: Use new "has_option" function from x11-common
instead of grepping the option file, to avoid calling an external program.
New changelog entries:
* Merge with Debian testing; Remaining Ubuntu changes:
- Install into / rather than /usr.
- debian/control: Depend on ConsoleKit for "at_console" policy stanza.
- debian/dbus.postinst: Do not restart dbus on upgrades, since it breaks
too many applications. Instead, trigger a "reboot required" notification.
- debian/dbus.postinst: Create /var/run/dbus in postinst to handle system
being rebooted before package is configured. LP: #275229.
- Add debian/dbus.upstart and bump debhelper b-dep to ensure that it is
properly installed.
- 11_timeout_handling.patch: Fix timeout accounting. The
elapsed_milliseconds contains the time from the start, so subtracting it
on every iteration means that the timeout is much less than what is
requested. Instead compare the absolute values, but pass the difference
to calls which want a timeout so that the correct remaining time is
used. (LP #376145)
- 20_system_conf_limit.patch: Increase max_match_rules_per_connection for
the system bus to 5000 (LP #454093)
- 81-session.conf-timeout.patch: Raise the service startup timeout from 25
to 60 seconds. It may be too short on the live CD with slow machines.