From 979b6651f0876b1be07a6d848c30bd1a74f96a70 Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Wed, 18 Sep 2013 18:40:48 +0200 Subject: Update NEWS for release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Miloslav Trmač --- NEWS | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 830c8f3..4262392 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,8 @@ polkit 0.112 -------------- +NOTE: This release is an important security update, see below. + WARNING WARNING WARNING: This is a prerelease on the road to polkit 1.0. Public API might change and certain parts of the code still needs some security review. Use at your own risk. @@ -9,7 +11,18 @@ some security review. Use at your own risk. This is polkit 0.112. Highlights: - TODO + This release fixes CVE-2013-4288: Race condition with process subjects that do + not have securely determined uid. + + pkcheck(1) now supports a new format for the --process argument; all + applications need to use the new format to avoid a race condition (or use + --system-bus-name to identify the process instead). + + Similarly, applications using the API should always use + polkit_unix_process_new_for_owner(). polkit_unix_process_new() and + polkit_unix_process_new_full() are unsafe and have been deprecated. + + Thanks to Sebastian Krahmer of the SUSE Security Team for reporting this issue. Build requirements @@ -21,12 +34,24 @@ Build requirements Changes since polkit 0.111: - TODO +Colin Walters (2): + polkitunixprocess: Deprecate racy APIs + pkcheck: Support --process=pid,start-time,uid syntax too + +Miloslav Trmač (1): + Post-release version bump to 0.112 + +Tomas Bzatek (1): + Use GOnce for interface type registration + +Tomas Chvatal (2): + Add czech translation po file to distribution. + Update the czech once more with newest pot file. Thanks to our contributors. -Miloslav Trmač, -$DATE +Colin Walters and Miloslav Trmač, +September 18, 2013 -------------- polkit 0.111 -- cgit v1.2.3