* [Buildroot] [git commit] package/dbus: security bump to version 1.2.28
@ 2023-06-25 19:24 Arnout Vandecappelle via buildroot
2023-07-16 6:06 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:24 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=52ae2a4e1d10da4ea46bc730db69a40d79eb835a
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes the following security issues:
- CVE-2023-34969: Fix an assertion failure in dbus-daemon when a privileged
Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or
similar) is active, and a message from the bus driver cannot be delivered
to a client connection due to <deny> rules or outgoing message quota.
This is a denial of service if triggered maliciously by a local attacker.
- Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
For details, see the NEWS file:
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
---
package/dbus/dbus.hash | 4 ++--
package/dbus/dbus.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/dbus/dbus.hash b/package/dbus/dbus.hash
index 17c70004ba..0e48d4dafd 100644
--- a/package/dbus/dbus.hash
+++ b/package/dbus/dbus.hash
@@ -1,7 +1,7 @@
# Locally calculated after checking pgp signature
-# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.24.tar.gz.asc
+# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.28.tar.gz.asc
# using key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F
-sha256 bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38 dbus-1.12.24.tar.gz
+sha256 9da1e3f2b73f75eec0a9e4509d64be43909d1f2853fe809528a0a53984d76420 dbus-1.12.28.tar.gz
# Locally calculated
sha256 0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1 COPYING
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index b3a79c431d..99d2c4301c 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -6,7 +6,7 @@
# When updating dbus, check if there are changes in session.conf and
# system.conf, and update the versions in the dbus-broker package accordingly.
-DBUS_VERSION = 1.12.24
+DBUS_VERSION = 1.12.28
DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
DBUS_LICENSE_FILES = COPYING
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [git commit] package/dbus: security bump to version 1.2.28
2023-06-25 19:24 [Buildroot] [git commit] package/dbus: security bump to version 1.2.28 Arnout Vandecappelle via buildroot
@ 2023-07-16 6:06 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2023-07-16 6:06 UTC (permalink / raw)
To: Arnout Vandecappelle via buildroot
>>>>> "Arnout" == Arnout Vandecappelle via buildroot <buildroot@buildroot.org> writes:
> commit: https://git.buildroot.net/buildroot/commit/?id=52ae2a4e1d10da4ea46bc730db69a40d79eb835a
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> Fixes the following security issues:
> - CVE-2023-34969: Fix an assertion failure in dbus-daemon when a privileged
> Monitoring connection (dbus-monitor, busctl monitor, gdbus monitor or
> similar) is active, and a message from the bus driver cannot be delivered
> to a client connection due to <deny> rules or outgoing message quota.
> This is a denial of service if triggered maliciously by a local attacker.
> - Fix an incorrect assertion that could be used to crash dbus-daemon or
> other users of DBusServer prior to authentication, if libdbus was compiled
> with assertions enabled.
> For details, see the NEWS file:
> https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-07-16 6:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-25 19:24 [Buildroot] [git commit] package/dbus: security bump to version 1.2.28 Arnout Vandecappelle via buildroot
2023-07-16 6:06 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).