-D-Bus 1.10.11 (UNRELEASED)
+D-Bus 1.10.12 (2016-10-10)
==
-Fixes:
+The “not excessively inhospitable” release.
+
+Security fixes:
+
+• Do not treat ActivationFailure message received from root-owned systemd
+ name as a format string. In principle this is a security vulnerability,
+ but we do not believe it is exploitable in practice, because only
+ privileged processes can own the org.freedesktop.systemd1 bus name, and
+ systemd does not appear to send activation failures that contain "%".
+
+ Please note that this probably *was* exploitable in dbus versions
+ older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
+ the time was only thought to be a denial of service vulnerability
+ (CVE-2015-0245). If you are still running one of those versions,
+ patch or upgrade immediately.
+
+ (fd.o #98157, Simon McVittie)
+
+Other fixes:
+
+• Harden dbus-daemon against malicious or incorrect ActivationFailure
+ messages by rejecting them if they do not come from a privileged
+ process, or if systemd activation is not enabled
+ (fd.o #98157, Simon McVittie)
• Avoid undefined behaviour when setting reply serial number without going
via union DBusBasicValue (fd.o #98035, Marc Mutz)
m4_define([dbus_major_version], [1])
m4_define([dbus_minor_version], [10])
-m4_define([dbus_micro_version], [11])
+m4_define([dbus_micro_version], [12])
m4_define([dbus_version],
[dbus_major_version.dbus_minor_version.dbus_micro_version])
AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
## increment any time the source changes; set to
## 0 if you increment CURRENT
-LT_REVISION=7
+LT_REVISION=8
## increment if any interfaces have been added; set to 0
## if any interfaces have been changed or removed. removal has
projects / thirdparty / dbus.git / commitdiff
