1.8.22

diff --git a/NEWS b/NEWS
index 732daee5a08b44b2e9cdd7809c10ecdbf55b2455..802f4e5398718e34c335e235b8c1a0aff81c86f0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,23 @@
-D-Bus 1.8.22 (UNRELEASED)
+D-Bus 1.8.22 (2016-10-10)
 ==
 
-...
+The “barren and lifeless” release.
+
+Security fixes:
+
+• Do not treat ActivationFailure message received from root-owned systemd
+  name as a format string. In principle this is a security vulnerability,
+  but we do not believe it is exploitable in practice, because only
+  privileged processes can own the org.freedesktop.systemd1 bus name, and
+  systemd does not appear to send activation failures that contain "%".
+
+  Please note that this probably *was* exploitable in dbus versions
+  older than 1.6.30, 1.8.16 and 1.9.10 due to a missing check which at
+  the time was only thought to be a denial of service vulnerability
+  (CVE-2015-0245). If you are still running one of those versions,
+  patch or upgrade immediately.
+
+  (fd.o #98157, Simon McVittie)
 
 D-Bus 1.8.20 (2015-07-21)
 ==

diff --git a/configure.ac b/configure.ac
index 495dacca8256b9682cd99dd44304b80c5ab49c88..dee06f4a2f3f83b80d2a722471602c7bc56c1317 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@ AC_PREREQ([2.63])
 
 m4_define([dbus_major_version], [1])
 m4_define([dbus_minor_version], [8])
-m4_define([dbus_micro_version], [21])
+m4_define([dbus_micro_version], [22])
 m4_define([dbus_version],
           [dbus_major_version.dbus_minor_version.dbus_micro_version])
 AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus])
@@ -37,7 +37,7 @@ LT_CURRENT=11
 
 ## increment any time the source changes; set to
 ##  0 if you increment CURRENT
-LT_REVISION=13
+LT_REVISION=14
 
 ## increment if any interfaces have been added; set to 0
 ## if any interfaces have been changed or removed. removal has