From: Simon McVittie <smcv@debian.org>
Date: Thu, 14 May 2015 12:28:38 +0000 (+0100)
Subject: 1.8.18
X-Git-Tag: dbus-1.8.18^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1788e8f93d80007ead16490b54e15000a89ecff1;p=thirdparty%2Fdbus.git

1.8.18
---

diff --git a/NEWS b/NEWS
index 332928b0c..4da37321b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,30 @@
-D-Bus 1.8.18 (UNRELEASED)
+D-Bus 1.8.18 (2015-05-14)
 ==
 
-Fixes:
+The âunicorn riftsâ release.
+
+Security hardening:
+
+â¢ On Unix platforms, change the default configuration for the session bus
+  to only allow EXTERNAL authentication (secure kernel-mediated
+  credentials-passing), as was already done for the system bus.
+
+  This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
+  unpredictable pseudo-random numbers; under certain circumstances
+  (/dev/urandom unreadable or malloc() returns NULL), dbus could
+  fall back to using rand(), which does not have the desired unpredictability.
+  The fallback to rand() has not been changed in this stable-branch since
+  the necessary code changes for correct error-handling are rather intrusive.
+
+  If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport,
+  in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using
+  NFS or similar, you will need to reconfigure the session bus to accept
+  DBUS_COOKIE_SHA1 by commenting out the <auth> element. This configuration
+  is not recommended.
+
+  (fd.o #90414, Simon McVittie)
+
+Other fixes:
 
 â¢ Add locking to DBusCounter's reference count and notify function
   (fd.o #89297, Adrian Szyndela)
diff --git a/configure.ac b/configure.ac
index 60e1b3447..eb803af34 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [17])
+m4_define([dbus_micro_version], [18])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@ LT_CURRENT=11
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=11
+LT_REVISION=12
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has
