From e1d20aacab56afd8795b8d7403f81c87353cc658 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 15 Sep 2014 19:37:47 +0100 Subject: 1.6.24 security release for tomorrow --- NEWS | 40 ++++++++++++++++++++++++++++++++++++++-- configure.ac | 4 ++-- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index e8c390f8..9b4cccd7 100644 --- a/NEWS +++ b/NEWS @@ -1,7 +1,43 @@ -D-Bus 1.6.24 (UNRELEASED) +D-Bus 1.6.24 (2014-09-16) == -... +The "least civilized in the entire galaxy" release. + +Security fixes backported from 1.8.8: + +• Do not accept an extra fd in the padding of a cmsg message, which + could lead to a 4-byte heap buffer overrun. + (CVE-2014-3635, fd.o #83622; Simon McVittie) + +• Reduce default for maximum Unix file descriptors passed per message + from 1024 to 16, preventing a uid with the default maximum number of + connections from exhausting the system bus' file descriptors under + Linux's default rlimit. Distributors or system administrators with a + more restrictive fd limit may wish to reduce these limits further. + + Additionally, on Linux this prevents a second denial of service + in which the dbus-daemon can be made to exceed the maximum number + of fds per sendmsg() and disconnect the process that would have + received them. + (CVE-2014-3636, fd.o #82820; Alban Crequy) + +• Disconnect connections that still have a fd pending unmarshalling after + a new configurable limit, pending_fd_timeout (defaulting to 150 seconds), + removing the possibility of creating an abusive connection that cannot be + disconnected by setting up a circular reference to a connection's + file descriptor. + (CVE-2014-3637, fd.o #80559; Alban Crequy) + +• Reduce default for maximum pending replies per connection from 8192 to 128, + mitigating an algorithmic complexity denial-of-service attack + (CVE-2014-3638, fd.o #81053; Alban Crequy) + +• Reduce default for authentication timeout on the system bus from + 30 seconds to 5 seconds, avoiding denial of service by using up + all unauthenticated connection slots; and when all unauthenticated + connection slots are used up, make new connection attempts block + instead of disconnecting them. + (CVE-2014-3639, fd.o #80919; Alban Crequy) D-Bus 1.6.22 (2014-06-02) == diff --git a/configure.ac b/configure.ac index ad9c843f..f896672a 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ AC_PREREQ([2.63]) m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [6]) -m4_define([dbus_micro_version], [23]) +m4_define([dbus_micro_version], [24]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -37,7 +37,7 @@ LT_CURRENT=10 ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=8 +LT_REVISION=9 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has -- cgit v1.2.3