Overview

File _patchinfo of Package patchinfo.294

<patchinfo incident="294">
  <issue id="CVE-2015-0245" tracker="cve" />
  <issue tracker="bnc" id="916343" />
  <issue tracker="bnc" id="916785">dbus: /etc/init.d/dbus has syntax error</issue>
  <category>security</category>
  <rating>moderate</rating>
  <packager>fstrba</packager>
  <description>dbus-1 was updated to version 1.8.16 to fix one security issue.

This update fixes the following security issue:

- CVE-2015-0245: Do not allow non-uid-0 processes to send forged
  ActivationFailure messages. On Linux systems with systemd
  activation, this would allow a local denial of service (bnc#916343).

These additional security hardenings are included:

- Do not allow calls to UpdateActivationEnvironment from uids
  other than the uid of the dbus-daemon. If a system service
  installs unsafe security policy rules that allow arbitrary
  method calls (such as CVE-2014-8148) then this prevents
  memory consumption and possible privilege escalation via
  UpdateActivationEnvironment.
- Do not allow calls to UpdateActivationEnvironment or the
  Stats interface on object paths other than
  /org/freedesktop/DBus. Some system services install unsafe
  security policy rules that allow arbitrary method calls to
  any destination, method and interface with a specified object
  path.
</description>
  <summary>Security update for dbus-1</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places