openSUSE Build Service

Dominique Leuenberger (dimstar_suse) committed 5 months ago (revision 180)

Expedited checkin of diffutils -> cmp migration

Ana Guerrero (anag+factory) accepted request 1112496 from

Factory Maintainer (factory-maintainer) 7 months ago (revision 179)

Automatic submission by obs-autosubmit

Dominique Leuenberger (dimstar_suse) accepted request 1092691 from

Dirk Mueller (dirkmueller) 11 months ago (revision 178)

- update to 1.14.8 (bsc#1212126, CVE-2023-34969):
  * Denial-of-service fixes:
  * Fix an assertion failure in dbus-daemon when a privileged
    Monitoring connection (dbus-monitor, busctl monitor, gdbus
    monitor or similar) is active, and a message from the bus
    driver cannot be delivered to a client connection due to
    <deny> rules or outgoing message quota. This
    is a denial of service if triggered maliciously by a local
    attacker.
  * Fix compilation on compilers not supporting __FUNCTION__
  * Fix some memory leaks on out-of-memory conditions
  * Fix syntax of a code sample in dbus-api-design

Dominique Leuenberger (dimstar_suse) accepted request 1067484 from

Simon Lees (simotek) about 1 year ago (revision 177)

Dominique Leuenberger (dimstar_suse) accepted request 1064302 from

Fridrich Strba (fstrba) about 1 year ago (revision 176)

fix multibuild

Dominique Leuenberger (dimstar_suse) accepted request 1031295 from

Dirk Mueller (dirkmueller) over 1 year ago (revision 175)

- update to 1.14.4 (bsc#1204111, CVE-2022-42010, 
                    bsc#1204112, CVE-2022-42011,
                    bsc#1204113, CVE-2022-42012):
  This is a security update for the dbus 1.14.x stable branch, fixing
  denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
  security hardening (dbus#416).
  Behaviour changes:
  * On Linux, dbus-daemon and other uses of DBusServer now create a
     path-based Unix socket, unix:path=..., when asked to listen on a
     unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
     unix:dir=... on all platforms.
     Previous versions would have created an abstract socket, unix:abstract=...,
     in this situation.
     This change primarily affects the well-known session bus when run via
     dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
     dbus with --enable-user-session and running it on a systemd system,
     already used path-based Unix sockets and is unaffected by this change.
     This behaviour change prevents a sandbox escape via the session bus socket
     in sandboxing frameworks that can share the network namespace with the host
     system, such as Flatpak.
     This change might cause a regression in situations where the abstract socket
     is intentionally shared between the host system and a chroot or container,
     such as some use-cases of schroot(1). That regression can be resolved by
     using a bind-mount to share either the D-Bus socket, or the whole /tmp
     directory, with the chroot or container.
     (dbus#416, Simon McVittie)
  * Denial of service fixes:
    - Evgeny Vereshchagin discovered several ways in which an authenticated
      local attacker could cause a crash (denial of service) in
      dbus-daemon --system or a custom DBusServer. In uncommon configurations

Dominique Leuenberger (dimstar_suse) accepted request 1011186 from

Simon Lees (simotek) over 1 year ago (revision 174)

Dominique Leuenberger (dimstar_suse) accepted request 1010413 from

Dirk Mueller (dirkmueller) over 1 year ago (revision 173)

- Disable asserts (bsc#1087072)

Dominique Leuenberger (dimstar_suse) accepted request 981473 from

Dirk Mueller (dirkmueller) almost 2 years ago (revision 172)

- version provides
- add split provides
- remove unused/obsolete pre_checkin.sh

- The great dbus package split of 22, in preperation for replacing
  dbus-daemon with dbus-broker currently there is no functional
  difference that will change later, this follows a similar setup
  to RedHat and Debian.
  * dbus-daemon is now in its own separate package
  * Create a dbus-1-common package with all the files and config
    that are shared between the dbus-daemon and dbus-broker
    implementations.
  * Create a dbus-1-tools package with the tools eventually we will
    likely want to move to only recommending this package Redhat and
    Debian have both already gone down this path.

Dominique Leuenberger (dimstar_suse) accepted request 962877 from

Dirk Mueller (dirkmueller) about 2 years ago (revision 171)

Dominique Leuenberger (dimstar_suse) accepted request 961966 from

Dirk Mueller (dirkmueller) about 2 years ago (revision 170)

- set runstatedir correctly

Dominique Leuenberger (dimstar_suse) accepted request 960278 from

Dirk Mueller (dirkmueller) about 2 years ago (revision 169)

Dominique Leuenberger (dimstar_suse) accepted request 958730 from

Dirk Mueller (dirkmueller) about 2 years ago (revision 168)

Dominique Leuenberger (dimstar_suse) accepted request 933402 from

Dirk Mueller (dirkmueller) over 2 years ago (revision 167)

Dominique Leuenberger (dimstar_suse) accepted request 883704 from

Dirk Mueller (dirkmueller) about 3 years ago (revision 166)

- avoid listing cmake directory - owned by cmake package

Dominique Leuenberger (dimstar_suse) accepted request 876715 from

Simon Lees (simotek) about 3 years ago (revision 165)

Dominique Leuenberger (dimstar_suse) accepted request 850346 from

Simon Lees (simotek) over 3 years ago (revision 164)

Dominique Leuenberger (dimstar_suse) accepted request 828602 from

Simon Lees (simotek) over 3 years ago (revision 163)

Dominique Leuenberger (dimstar_suse) accepted request 826904 from

Dirk Mueller (dirkmueller) over 3 years ago (revision 162)

- Update to 1.12.20
  * On Unix, avoid a use-after-free if two usernames have the same
    numeric uid. In older versions this could lead to a crash (denial of
    service) or other undefined behaviour, possibly including incorrect
    authorization decisions if <policy group=...> is used.
    Like Unix filesystems, D-Bus' model of identity cannot distinguish
    between users of different names with the same numeric uid, so this
    configuration is not advisable on systems where D-Bus will be used.
    Thanks to Daniel Onaca.
    (dbus#305, dbus!166; Simon McVittie)
- From 1.12.18
  * CVE-2020-12049: If a message contains more file descriptors than can
    be sent, close those that did get through before reporting error.
    Previously, a local attacker could cause the system dbus-daemon (or
    another system service with its own DBusServer) to run out of file
    descriptors, by repeatedly connecting to the server and sending fds that
    would get leaked.
    Thanks to Kevin Backhouse of GitHub Security Lab.
    (dbus#294, GHSL-2020-057; Simon McVittie)
  * Fix a crash when the dbus-daemon is terminated while one or more
    monitors are active (dbus#291, dbus!140; Simon McVittie)
  * The dbus-send(1) man page now documents --bus and --peer instead of
    the old --address synonym for --peer, which has been deprecated since
	the introduction of --bus and --peer in 1.7.6
	(fd.o #48816, dbus!115; Chris Morin)
  * Fix a wrong environment variable name in dbus-daemon(1)
    (dbus#275, dbus!122; Mubin, Philip Withnall)
  * Fix formatting of dbus_message_append_args example
	(dbus!126, Felipe Franciosi)
  * Avoid a test failure on Linux when built in a container as uid 0, but

Dominique Leuenberger (dimstar_suse) accepted request 765871 from

Dirk Mueller (dirkmueller) over 4 years ago (revision 161)

Places

Revisions of dbus-1

Places