File mingw64-dbus-1.changes of Package mingw64-dbus-1
-------------------------------------------------------------------
Mon Apr 1 19:12:25 UTC 2024 - Ralf Habacker <ralf.habacker@freenet.de>
- Update to dbus 1.14.10 (2022-10-05)
Bug fixes:
* Avoid a dbus-daemon crash if re-creating a connection's policy fails.
If it isn't possible to re-create its policy (for example if it belongs
to a user account that has been deleted or if the Name Service Switch is
broken, on a system not supporting SO_PEERGROUPS), we now log a warning,
continue to use its current policy, and continue to reload other
connections' policies. (dbus#343; Peter Benie, Simon McVittie)
* If getting the groups from a user ID fails, report the error correctly,
instead of logging "(null)" (dbus#343, Simon McVittie)
* Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
field for processes with a valid-but-empty supplementary group list
(dbus!422, cptpcrd)
- Update to dbus 1.14.8 (2023-06-06)
Denial-of-service fixes:
* Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Other fixes:
* Fix compilation on compilers not supporting __FUNCTION__
(dbus!404, Barnabás Pőcze)
* Fix some memory leaks on out-of-memory conditions
(dbus!403, Barnabás Pőcze)
* Documentation:
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
Tests and CI enhancements:
* Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
- Update to dbus 1.14.6 (2023-02-08)
Denial of service fixes:
* Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
We recommend that production builds of dbus, for example in OS distributions,
should be compiled with checks but without assertions.
(dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
Other fixes:
* When connected to a dbus-broker, stop dbus-monitor from incorrectly
replying to Peer method calls that were sent to the dbus-broker with
a NULL destination (dbus#301, Kai A. Hiller)
* Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
This is not attacker-triggerable and appears to be harmless in practice,
but is technically undefined behaviour and is detected as such by
AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
* Avoid a data race in multi-threaded use of DBusCounter
(dbus#426, Ralf Habacker)
* Fix a crash with some glibc versions when non-auditable SELinux events
are logged (dbus!386, Jeremi Piotrowski)
* If dbus_message_demarshal() runs out of memory while validating a message,
report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
* Use C11 _Alignof if available, for better standards-compliance
(dbus!389, Khem Raj)
* Stop including an outdated copy of pkg.m4 in the git tree
(dbus!365, Simon McVittie)
* Documentation:
· Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
* Tests fixes:
· Fix the test-apparmor-activation test after dbus#416
(dbus!380, Dave Jones)
Internal changes:
* Fix CI builds with recent git versions (dbus#447, Simon McVittie)
- Updated patch to fix building on Tumbleweed:
* add patch dbus-1.14.4-add-enable-relocation-force.patch
-------------------------------------------------------------------
Wed Jan 18 23:53:46 UTC 2023 - Ralf Habacker <ralf.habacker@freenet.de>
- Update package
* drop installing file INSTALL to fix warning: install-file-in-docs
* drop obsolete patch add-enable-relocation-force.patch
* drop obsolete BuildRoot
* drop unused doc install dir 'dbus-1'
* add patch dbus-1.14.4-add-enable-relocation-force.patch
* reorder file list
* use %autosetup
-------------------------------------------------------------------
Wed Jan 18 23:29:00 UTC 2023 - Ralf Habacker <ralf.habacker@freenet.de>
- Update to dbus 1.14.4 (2022-10-05)
This is a security update for the dbus 1.14.x stable branch, fixing
denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying
security hardening (dbus#416).
Behaviour changes:
* On Linux, dbus-daemon and other uses of DBusServer now create a
path-based Unix socket, unix:path=..., when asked to listen on a
unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
unix:dir=... on all platforms.
Previous versions would have created an abstract socket, unix:abstract=...,
in this situation.
This change primarily affects the well-known session bus when run via
dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
dbus with --enable-user-session and running it on a systemd system,
already used path-based Unix sockets and is unaffected by this change.
This behaviour change prevents a sandbox escape via the session bus socket
in sandboxing frameworks that can share the network namespace with the host
system, such as Flatpak.
This change might cause a regression in situations where the abstract socket
is intentionally shared between the host system and a chroot or container,
such as some use-cases of schroot(1). That regression can be resolved by
using a bind-mount to share either the D-Bus socket, or the whole /tmp
directory, with the chroot or container.
(dbus#416, Simon McVittie)
Denial of service fixes:
Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.
* An invalid array of fixed-length elements where the length of the array
is not a multiple of the length of the element would cause an assertion
failure in debug builds or an out-of-bounds read in production builds.
This was a regression in version 1.3.0.
(dbus#413, CVE-2022-42011; Simon McVittie)
* A syntactically invalid type signature with incorrectly nested parentheses
and curly brackets would cause an assertion failure in debug builds.
Similar messages could potentially result in a crash or incorrect message
processing in a production build, although we are not aware of a practical
example. (dbus#418, CVE-2022-42010; Simon McVittie)
* A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption in production
builds, or an assertion failure in debug builds. This was a regression in
version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
- Update to dbus 1.14.2 (2022-09-26)
Fixes:
* Fix build failure on FreeBSD (dbus!277, Alex Richardson)
* Fix build failure on macOS with launchd enabled
(dbus!287, Dawid Wróbel)
* Preserve errno on failure to open /proc/self/oom_score_adj
(dbus!285, Gentoo#834725; Mike Gilbert)
* On Linux, don't log warnings if oom_score_adj is read-only but does not
need to be changed (dbus!291, Simon McVittie)
* Slightly improve error-handling for inotify
(dbus!235, Simon McVittie)
* Don't crash if dbus-daemon is asked to watch more than 128 directories
for changes (dbus!302, Jan Tojnar)
* Autotools build system fixes:
· Don't treat --with-x or --with-x=yes as a request to disable X11,
fixing a regression in 1.13.20. Instead, require X11 libraries and
fail if they cannot be detected. (dbus!263, Lars Wendler)
· When a CMake project uses an Autotools-built libdbus in a
non-standard prefix, find dbus-arch-deps.h successfully
(dbus#314, Simon McVittie)
· Don't include generated XML catalog in source releases
(dbus!317, Jan Tojnar)
· Improve robustness of detecting gcc __sync atomic builtins
(dbus!320, Alex Richardson)
* CMake build system fixes:
· Detect endianness correctly, fixing interoperability with other D-Bus
implementations on big-endian systems (dbus#375, Ralf Habacker)
· When building for Unix, install session and system bus setup
in the intended locations
(dbus!267, dbus!297; Ralf Habacker, Alex Richardson)
· Detect setresuid() and getresuid() (dbus!319, Alex Richardson)
· Detect backtrace() on FreeBSD (dbus!281, Alex Richardson)
· Don't include headers from parent directory (dbus!282, Alex Richardson)
· Distinguish between host and target TMPDIR when cross-compiling
(dbus!279, Alex Richardson)
· Fix detection of atomic operations (dbus!306, Alex Richardson)
Tests and CI enhancements:
* On Unix, skip tests that switch uid if run in a container that is
unable to do so, instead of failing (dbus#407, Simon McVittie)
* Use the latest MSYS2 packages for CI
(Ralf Habacker, Simon McVittie)
- Update to dbus 1.14.0 (2022-02-28)
1.14.x is a new stable branch, superseding 1.12.x.
Summary of major changes between 1.12.x and 1.14.0
--------------------------------------------------
Dependencies:
* dbus now requires at least a basic level of support for C99 variadic
macros, as implemented in gcc >= 3, all versions of Clang, and
MSVC >= 2005. In practice this requirement has existed since version
1.9.2, but it is now official.
* dbus now requires a C99-compatible va_copy() macro (or a __va_copy()
macro with the same behaviour), except when building for Windows using
MSVC and CMake.
* On Unix platforms, if getpwnam_r() and getgrnam_r() are implemented,
they must be POSIX-conformant. The non-POSIX signature seen in ancient
Solaris versions will no longer work.
* All Windows builds now require Windows Vista or later.
(Note that we do not recommend or support use of dbus on operating
systems outside their vendor's security support lifetime, such as Vista.)
* GLib >= 2.38 is required if full test coverage is enabled
(reduced from 2.40 in dbus 1.12.x.)
* Building using CMake now requires CMake 3.4.
* Building documentation using CMake now requires xsltproc, Docbook DTDs
(for example docbook-xml on Debian derivatives), and Docbook XSLT
stylesheets (for example docbook-xsl on Debian derivatives). Using
KDE's meinproc4 documentation processor is no longer supported.
Build-time configuration changes:
* Move CMake build system to top level, matching normal practice for
CMake projects
Deprecations:
* Third-party software should install default dbus policies for the system
bus into ${datadir}/dbus-1/system.d (this has been supported since dbus
1.10, released in August 2015). Installing default dbus policies in
${sysconfdir}/dbus-1/system.d is now considered to be deprecated. Policy
files in ${sysconfdir}/dbus-1/system.d continue to be read, but this
directory should only be used by system administrators wishing to
override the default policies.
The ${datadir} applicable to dbus is usually /usr/share and the
${sysconfdir} is usually /etc.
* A similar pattern applies to the session bus policies in session.d.
* The dbus-send(1) man page now documents --bus and --peer instead of
the old --address synonym for --peer, which has been deprecated since
the introduction of --bus and --peer in 1.7.6
* The dbus-daemon man page now has scarier warnings about
<allow_anonymous/> and non-local TCP, which are insecure and should
not be used, particularly for the standard system and session buses
* DBusServer (and hence the dbus-daemon) no longer accepts usernames
(login names) for the recommended EXTERNAL authentication mechanism,
only numeric user IDs or the empty string. See 1.13.0 release notes
for full details.
New features:
* On Linux 4.13 or later when built against a suitable glibc version,
GetConnectionCredentials() now includes UnixGroupIDs, the effective
group IDs of the initiator of the connection, taken from
SO_PEERGROUPS.
* On Linux 4.13 or later, <policy group="…"> now uses the SO_PEERGROUPS
credentials-passing socket option to get the effective group IDs
of the initiator of the connection. See 1.13.4 release notes for details.
* Add a --sender option to dbus-send, which requests a name and holds it
until the signal has been sent
* dbus-daemon <allow> and <deny> rules can now specify a
send_destination_prefix attribute, which is like a combination of
send_destination and the arg0namespace keyword in match rules.
See 1.13.12 release notes for more details
* The dbus-daemon now filters the messages that it relays, removing
header fields that it does not understand. Clients must not rely on
this behaviour unless they have confirmed that they are connected to
a suitable message bus implementation, for example by querying its
Features property.
* The dbus-daemon now emits a signal, ActivatableServicesChanged, when
the list of activatable services may have changed. Support for this
signal can be discovered by querying the Features property.
* It is now possible to disable traditional (non-systemd) service
activation at build-time (Autotools: --disable-traditional-activation,
CMake: -DENABLE_TRADITIONAL_ACTIVATION=OFF). See 1.13.10 release notes
for details.
* The API reference manual can be built as a Qt compiled help file if
qhelpgenerator(-qt5) is available. See 1.13.16 release notes for details.
Miscellaneous behaviour changes:
* When using the "user bus" (--enable-user-session), put the dbus-daemon
in the session slice
* Several environment variables set by systemd are no longer passed
on to activated services
* If the dbus-daemon is compiled for Linux with systemd support, it
now informs systemd that it is ready for use via the sd_notify()
mechanism
* Tarball releases no longer contain pre-2007 changelogs and are now
compressed with xz, making them around 35% smaller.
Changes since 1.13.22
---------------------
* On Windows, consistently use msvcrt.dll-style printf formats, fixing
builds with mingw-w64 8.0.0 (dbus#380, Simon McVittie)
* Fix some broken links in the API design document
(dbus!257, Michael Nosthoff)
* CI updates
· Enable -Werror for the CMake builds
· Use https to download MSYS packages
· Use Debian 11 for most builds
· Stop testing on Debian 9, which is EOL
· Stop testing on Ubuntu 16.04, which is EOL
· Remove workarounds for missing/outdated packages in Debian 8, Debian 9
and Ubuntu 16.04
(dbus#380, dbus!260; Simon McVittie)
- Update to dbus 1.13.22 (2022-02-23)
This is a release candidate for a new dbus 1.14.x stable branch.
Enhancements:
* D-Bus Specification 0.38:
· Add ActivatableServicesChanged signal and feature flag
(dbus#376, Ralf Habacker)
· Document * as optionally-escaped in D-Bus addresses, matching
the implementation (dbus!248, Kir Kolyshkin)
* Emit the new ActivatableServicesChanged signal when configuration
and/or activatable services are reloaded (dbus#376, Ralf Habacker)
* Add an XML catalog file for the DTDs we install
(dbus!202, Jan Tojnar)
Bug fixes:
* On Linux, when using traditional (non-systemd) service activation,
don't log warnings about failing to reset OOM score adjustment if the
process is already more susceptible to the OOM killer, as user processes
usually are with systemd ≥ 250. (dbus#374, Simon McVittie)
* On Linux, when using traditional (non-systemd) system bus activation,
reset the OOM score adjustment to 0 as intended.
If the system dbus-daemon is protected from the OOM killer, this
avoids that protection unintentionally being inherited by every
system service. (dbus#378, Simon McVittie)
* Fix a code path that could result in a crash on out-of-memory
(dbus#246, Marc-André Lureau)
* Fix compilation if embedded tests are enabled but verbose mode and
stats are both disabled (Marc-André Lureau)
* CMake: Improve support for Windows with MSVC and add CI coverage
(dbus!218, Marc-André Lureau)
* CMake: Improve Docbook documentation-generation
(dbus#377, Ralf Habacker)
* On Linux, fix a race condition in the integration test for transient
services (Debian#1005889, dbus!256; Simon McVittie)
- Update to dbus 1.13.20 (2021-12-17)
The “not how anyone wanted to learn the Greek alphabet” release.
Dependencies:
* Building using CMake now requires CMake 3.4.
Enhancements:
* D-Bus Specification 0.37:
· Update recommendations for DBUS_COOKIE_SHA1 timeouts
(dbus!171, Simon McVittie)
· Clarify padding requirements for arrays and variants
(dbus!203, Zeeshan Ali)
· Describe where the interoperable machine ID comes from
(dbus!198, Thomas Kluyver)
· Clarify use of dictionary (array of dict-entry) types
(dbus#347, Ralf Habacker)
* When using the "user bus" (--enable-user-session), put the dbus-daemon
in the session slice (dbus!219, David Redondo)
Feature removal:
* Disable the experimental Containers1 interface that was added in 1.13.0.
It is incomplete and not ready for production use, so we're disabling it
in preparation for a new 1.14.x stable branch; the code remains present
and will be re-enabled later, but there is no longer a build-time
configuration option to enable it. (dbus!236, Simon McVittie)
Bug fixes:
* Avoid malloc() after fork on non-GNU libc (dbus!181, Jean-Louis Fuchs)
* Don't return successfully from RemoveMatch if the match rule didn't
exist (dbus#351, Simon McVittie)
* On Windows, fix a race condition where dbus-run-session could start the
wrapped application before the dbus-daemon was ready
(dbus#297, Ralf Habacker)
* Fix build with clang 13 by using Standard C offsetof where available
(dbus!237, Simon McVittie)
* Fix build of tests on FreeBSD (dbus!167, Simon McVittie)
* Various CMake build improvements
(dbus#310, dbus!213, dbus#319, dbus!217, dbus#346, dbus#356;
Ralf Habacker)
* Set IMPORTED_IMPLIB property in CMake metadata installed via Autotools
with mingw toolchain
(dbus!172, Julien Schueller)
* Make documentation build more reproducible
(dbus!189, dbus!238; Arnout Engelen, Simon McVittie)
* On Unix, make X11 autolaunch cope with slashes in DISPLAY
(dbus#8, dbus#311; William Earley)
* Don't try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS
(dbus#309, William Earley)
* Improve SELinux audit messages (dbus!173, Chris PeBenito)
* Validate various strings in dbus-send to avoid client-side assertion
failures on invalid input (dbus#338, Simon McVittie)
* Fix a memory leak in a unit test (dbus!208, David King)
* In Autotools builds, use pkg-config in preference to AC_PATH_XTRA
(dbus!212, Scott Hamilton)
* On Windows, prevent (theoretical?) stack buffer overflow with very
long paths (dbus!221, Ralf Habacker)
* Fix build with newer mingw compilers (dbus#355, Ralf Habacker)
* Various Windows error-handling fixes
(dbus!229, dbus#357, dbus#279, dbus#360, dbus#365;
Ralf Habacker, Simon McVittie)
* Clearer diagnostics when tests are skipped (dbus#363, Simon McVittie)
* CI improvements
(dbus#318, dbus!197, dbus!187, dbus!196, dbus!201, dbus#359;
Simon McVittie, Ralf Habacker, Arnout Engelen, Marc-André Lureau)
* Typo fixes, etc.
(dbus!183, dbus!182; Chigozirim Chukwu, Samy Mahmoudi)
- Update to dbus 1.13.18 (2020-07-02)
The “carnivorous border” release.
Maybe security fixes:
* On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166, CVE-2020-35512; Simon McVittie)
Other fixes:
* On Solaris and its derivatives, if a cmsg header is truncated, ensure
that we do not overrun the buffer used for fd-passing, even if the
kernel tells us to.
(dbus#304, dbus!165; Andy Fiddaman)
* When built with CMake, use GNUInstallDirs' special-cases for prefixes
/, /usr and /opt/*
(dbus!155, Ralf Habacker)
* When built with CMake on Linux, allow systemd-specific features to be
enabled, for feature parity with Autotools
(dbus!155, Ralf Habacker)
* When built with CMake, install the same example files as with Autotools
(dbus!155, Ralf Habacker)
* Correct the doc-comment for DBUS_ERROR_SPAWN_NO_MEMORY
(dbus!163, Marc-André Lureau)
- Update to dbus 1.13.16 (2020-06-02)
The “ominous mushroom hat” release.
Denial of service fixes:
* CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or
another system service with its own DBusServer) to run out of file
descriptors, by repeatedly connecting to the server and sending fds that
would get leaked.
Thanks to Kevin Backhouse of GitHub Security Lab.
(dbus#294, GHSL-2020-057; Simon McVittie)
Enhancements:
* The API reference manual can be built as a Qt compiled help file if
qhelpgenerator(-qt5) is available. This is controlled by
--enable-qt-help and --with-qchdir in the Autotools build, or
-DENABLE_QT_HELP and -DINSTALL_QCH_DIR in CMake.
(dbus!150, Ralf Habacker)
Fixes:
* When built for Windows, return all autolaunch error information in
the DBusError rather than printing some of it to stderr
(dbus#191, dbus!131; Ralf Habacker)
* When built for Windows, don't truncate long log messages
(dbus!134, Ralf Habacker)
* When built using CMake for a Unix platform, dbus-cleanup-sockets and
dbus-uuidgen are now included (dbus!154, Ralf Habacker)
* When built for Windows with verbose mode enabled, don't print debugging
messages related to poll() emulation into a fixed-size buffer that
could overflow (dbus!125, Ralf Habacker)
* Adjust .desktop file parser to avoid a Coverity false positive
(dbus!146, Coverity CID 354884; Ralf Habacker)
* Print shell-test diagnostics to stderr, avoiding warnings or errors
from strict TAP parsers (dbus!157, Félix Piédallu)
Tests and CI enhancements:
* When the CI cross-builds Windows binaries on Linux, run unit tests
using Wine (dbus#296, dbus!158; Ralf Habacker)
* Really build x86_64 Windows binaries in Gitlab-CI, instead of building
i686 binaries a second time (Ralf Habacker)
* When tests will be run using Wine, use STABS debug symbol format so
that Wine can display backtraces (dbus#133, dbus!104; Ralf Habacker)
- Update to dbus 1.13.14 (2020-04-21)
The “mystery allium” release.
Dependencies:
* On Unix platforms, if getpwnam_r() and getgrnam_r() are implemented,
they must be POSIX-conformant. The non-POSIX signature seen in ancient
Solaris versions will no longer work. (dbus!11, Simon McVittie)
Enhancements:
* D-Bus Specification 0.36:
· Fix a typo in an annotated hexdump of part of a message
(dbus!152, Zygmunt Krynicki)
* On Linux, use getrandom(2) in preference to /dev/urandom
(dbus!147, Natanael Copa)
* Add a --sender option to dbus-send, which requests a name and holds it
until the signal has been sent. (dbus!116, Christopher Morin)
Fixes:
* Fix a crash when the dbus-daemon is terminated while one or more
monitors are active (dbus#291, dbus!140; Simon McVittie)
* Fix several test failures if the build-time tests were run as uid 0.
Note that running the tests with elevated privileges is likely to be
insecure, and should only be attempted in an expendable container or
virtual machine. (dbus!117, Simon McVittie)
* Fix an assertion failure if a client encounters an out-of-memory
condition while sending its response to the "OK" authentication
message, and processing of the "OK" message is subsequently retried
when more memory is available (dbus!119, Simon McVittie)
* Don't leak struct addrinfo if we run out of memory during a TCP
connect()
(dbus!143, dbus!144, Coverity CID 354880; Ralf Habacker, Simon McVittie)
* On Linux with SELinux, don't assume that the system policy has the
"dbus" security class or the associated AV
(dbus#198, dbus!128; Laurent Bigonville)
* Handle dbus_connection_set_change_sigpipe() in a thread-safe way
(dbus!132; Simon McVittie, Ralf Habacker)
* On Unix, use POSIX <poll.h> in preference to <sys/poll.h>
(dbus!148, Natanael Copa)
* When building with CMake, cope with libX11 in a non-standard location
(dbus!129, Tuomo Rinne)
* On Windows with verbose mode enabled and outputting to the debug port,
use a dynamically-allocated buffer to avoid potential stack buffer
overflows in long messages (dbus#45, dbus!133; Ralf Habacker)
* The dbus-send(1) man page now documents --bus and --peer instead of
the old --address synonym for --peer, which has been deprecated since
the introduction of --bus and --peer in 1.7.6
(fd.o #48816, dbus!115; Chris Morin)
* Fix a wrong environment variable name in dbus-daemon(1)
(dbus#275, dbus!122; Mubin, Philip Withnall)
* Fix formatting of dbus_message_append_args example
(dbus!126, Felipe Franciosi)
Internal changes:
* Move more test-only code from dbus/ to tests/
(dbus!120, dbus!121, dbus!153; Simon McVittie)
* Improve diagnostics if memory or fd leaks are detected
(dbus!118, dbus!120; Simon McVittie)
* Move from Debian 9 to Debian 10 for most continuous integration jobs
(dbus!151, Simon McVittie)
* On Windows, improve embedded version information
(dbus!136, dbus!138, dbus!139; Ralf Habacker)
* Indentation fixes (dbus!149, Taras Zaporozhets)
- Update to dbus 1.13.12 (2019-06-11)
The “patio squirrel” release.
Security fixes:
* CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic
links in their own home directory to bypass authentication and connect
to a DBusServer with elevated privileges. The standard system and
session dbus-daemons in their default configuration were immune to this
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
users of DBusServer such as Upstart could be vulnerable.
Thanks to Joe Vennix of Apple Information Security.
(dbus#269, Simon McVittie)
Enhancements:
* dbus-daemon <allow> and <deny> rules can now specify a
send_destination_prefix attribute, which is like a combination of
send_destination and the arg0namespace keyword in match rules: a rule
with send_destination_prefix="com.example.Foo" matches messages sent to
any destination that is in the queue to own well-known names like
com.example.Foo or com.example.Foo.A.B (but not com.example.Foobar).
(dbus!85, Adrian Szyndela)
- Update to dbus 1.13.10 (2019-05-13)
The “engineering brick” release.
Dependencies:
* GLib >= 2.38 is required if full test coverage is enabled
(reduced from 2.40 in dbus 1.12.x.)
Deprecations:
* Third-party software should install default dbus policies for the system
bus into ${datadir}/dbus-1/system.d (this has been supported since dbus
1.10, released in August 2015). Installing default dbus policies in
${sysconfdir}/dbus-1/system.d is now considered to be deprecated. Policy
files in ${sysconfdir}/dbus-1/system.d continue to be read, but this
directory should only be used by system administrators wishing to
override the default policies.
The ${datadir} applicable to dbus is usually /usr/share and the
${sysconfdir} is usually /etc.
* A similar pattern applies to the session bus policies in session.d.
Enhancements:
* D-Bus Specification 0.35:
· Add UnixGroupIDs to GetConnectionCredentials()
(dbus#196, dbus!105; Matthijs van Duin)
· Remove some redundancies from the spec for interface names
(dbus!102, Felipe Gasper)
* Raise soft fd limit to match hard limit, even if unprivileged.
This makes session buses with many clients, or with clients that make
heavy use of fd-passing, less likely to suffer from fd exhaustion.
(dbus!103, Simon McVittie)
* On Linux 4.13 or later when built against a suitable glibc version,
GetConnectionCredentials() now includes UnixGroupIDs, the effective
group IDs of the initiator of the connection, taken from
SO_PEERGROUPS. (dbus#196, dbus!105; Matthijs van Duin)
* Embedded/special-purpose builds of dbus can now be configured with
--disable-traditional-activation, to disable services being launched
as a subprocess of the dbus-daemon. This allows the system dbus-daemon
to be run in a more tightly restricted security profile (an example
"drop-in" for systemd is provided).
If systemd support is enabled, then services with a SystemdService
configured can still be activated in these builds, via IPC to systemd.
Otherwise, services will not be activatable at all.
Please note that this option is not suitable for general-purpose
Linux distributions that are intended to support running third-party
D-Bus services.
(dbus!107, Topi Miettinen)
* Move CMake build system to top level, matching normal practice for
CMake projects (dbus!84, Ralf Habacker)
* Reformat CMake files (dbus#252, dbus!82, dbus!91; Ralf Habacker)
* Avoid GLib 2.40 dependencies (dbus!79, Ralf Habacker)
* Officially deprecate packaged XML policies in ${sysconfdir}, and
document how to install system services correctly
(dbus!76, Simon McVittie)
* Add AddressSanitizer and ubsan support (dbus!57, Simon McVittie)
Fixes:
* If a privileged dbus-daemon has a hard fd limit greater than 64K, don't
reduce it to 64K, ensuring that we can put back the original fd limits
when carrying out traditional (non-systemd) activation. This fixes a
regression with systemd >= 240 in which system services inherited
dbus-daemon's hard and soft limit of 64K fds, instead of the intended
soft limit of 1K and hard limit of 512K or 1M.
(dbus!103, Debian#928877; Simon McVittie)
* Fix build failures caused by an AX_CODE_COVERAGE API change in newer
autoconf-archive versions (dbus#249, dbus!88; Simon McVittie)
* Fix build failures with newer autoconf-archive versions that include
AX_-prefixed shell variable names (dbus#249, dbus!86; Simon McVittie)
* Avoid possible memory corruption in certain DBusHashTableIter use
patterns, which in practice were never used (dbus!44, Simon McVittie)
* Avoid a test failure on Linux when built in a container as uid 0, but
without the necessary privileges to increase resource limits
(dbus!58, Debian #908092; Simon McVittie)
* Don't overwrite PKG_CONFIG_PATH and related environment variables when
the pkg-config-based version of DBus1Config is used in a CMake project
(dbus#267, dbus!96; Clemens Lang)
* In CMake builds, respect GNUInstallDirs variables
(dbus!77, Ralf Habacker)
* In CMake builds, don't rebuild documentation every time
(dbus!94, Ralf Habacker)
* In CMake builds for Windows, don't require libiconv
(dbus#262, dbus!100; Ralf Habacker)
* Fix intermittent build failures with parallel CMake
(dbus#266, dbus!113; Simon McVittie)
* Don't assume we can set permissions on a directory, for the benefit of
MSYS and Cygwin builds (dbus#216, dbus!110; Simon McVittie)
* Avoid test failures with non-trivial NSS modules
(dbus#256, dbus!93; Simon McVittie)
* Fix test failures in test-syslog and test-sysdeps under Windows
(dbus#238, dbus#243, dbus!61, dbus!62; Simon McVittie)
* Ensure that CTest build-time tests on Windows use the just-built
libdbus-1-3.dll (dbus!83, Ralf Habacker)
* Don't take so long to run test-refs on Windows
(dbus#244, dbus!65; Ralf Habacker)
* Fix memory leaks in tests (dbus!68, Simon McVittie)
* Avoid casting user-supplied pointers to DBusBasicValue *, which is
formally undefined behaviour (dbus!69, Simon McVittie)
* Fix a non-exploitable stack array overrun in dbus-run-session on Windows
(Ralf Habacker)
Tests and CI enhancements:
* Verify that the result of an Autotools `make dist` can be used for a
successful CMake build (dbus#255, dbus!87; Simon McVittie)
* Rewrite Python tests into C to reduce circular dependencies and
facilitate use of AddressSanitizer (dbus!37, Simon McVittie)
* Refactor tests to extract most of their code from the bus/ and dbus/
directories, and break them up into smaller modules
(dbus#223, dbus#240, dbus!1, dbus!99, dbus!73, dbus!74, dbus!75;
Simon McVittie, Ralf Habacker)
* Do CI builds in a more minimal environment (dbus!63, Simon McVittie)
* Improve test coverage with CMake (dbus#135, dbus!23; Ralf Habacker)
* Avoid firewall exception requests when running build-time tests on
Windows (dbus!64, Ralf Habacker)
* Allow use of Wine to run cross-compiled Windows tests on Linux
(dbus!60, Ralf Habacker)
Internal changes:
* Rename DBusSocketSet to the more accurate DBusPollableSet
(dbus!81, Ralf Habacker)
* Refactor Windows implementation of dbus-spawn
(dbus!80; Ralf Habacker, Simon McVittie)
* Delete unused code from userdb module (dbus!92, Simon McVittie)
* Remove unnecessary _dbus_threads_init_debug() (dbus!72, Simon McVittie)
- Update to dbus 1.13.8 (2018-12-04)
The “demanding dragon” release.
dbus version control is now hosted on freedesktop.org's Gitlab
installation, and bug reports and feature requests have switched from
Bugzilla bugs (indicated by "fd.o #nnn") to Gitlab issues ("dbus#nnn")
and merge requests ("dbus!nnn"). See README and CONTRIBUTING.md for
more details.
Dependencies:
* dbus now requires at least a basic level of support for C99 variadic
macros, as implemented in gcc >= 3, all versions of Clang, and
MSVC >= 2005. In practice this requirement has existed since version
1.9.2, but it is now official.
* dbus now requires a C99-compatible va_copy() macro (or a __va_copy()
macro with the same behaviour), except when building for Windows using
MSVC and CMake.
* Building documentation using CMake now requires xsltproc, Docbook DTDs
(for example docbook-xml on Debian derivatives), and Docbook XSLT
stylesheets (for example docbook-xsl on Debian derivatives). Using
KDE's meinproc4 documentation processor is no longer supported.
Enhancements:
* Rewrite CONTRIBUTING.md to reflect the current setup
(dbus!8, Simon McVittie)
* D-Bus Specification v0.34:
· Fix an incorrect AddMatch() call in sample code
(dbus#221, dbus!56; Philip Withnall)
* Tarball releases no longer contain pre-2007 changelogs and are now
compressed with xz, so they should be somewhat smaller
(fd.o #107630; Francesco Turco, Simon McVittie)
* Reference the freedesktop.org Code of Conduct (Simon McVittie)
* Build an implementation of dbus-run-session for Windows
(dbus#135, dbus!22; Ralf Habacker)
* On Linux with SELinux, use avc_open() and monitor the AVC netlink fd
in the main event loop, instead of using the deprecated avc_init()
and a thread (dbus#134, dbus!31; Laurent Bigonville)
* On Linux with SELinux, use the SELINUX_CB_POLICYRELOAD callback
to detect policy reloads, instead of monitoring the access vector
cache with AVC_CALLBACK_RESET
(dbus#134, dbus!31; Laurent Bigonville)
* Avoid double slashes in pkg-config paths (dbus!30, Ralf Habacker)
* Improve test coverage and clean up dead code
(fd.o #107739, dbus#222; Simon McVittie)
* Allow --enable-relocation in combination with absolute paths for
--exec-prefix, --libdir (fd.o #107662, Simon McVittie)
* Don't run a test program to check how to copy a va_list, which is
awkward for cross-compiling; instead require that va_copy() or
__va_copy() exists, except in older MSVC versions where we already
know that simple assignment is enough (dbus!35, Simon McVittie)
* Simplify configure checks (dbus!10, Simon McVittie)
* Improve CMake build system parity with Autotools, including:
· Detect inotify, prctl() and getpwnam_r() correctly on Linux
· Use xsltproc instead of meinproc4 for documentation
(dbus#57, dbus#117, dbus#193, dbus#227, dbus!18, dbus!39;
Ralf Habacker, Simon McVittie)
Fixes:
* Stop the dbus-daemon leaking memory (an error message) if delivering
the message that triggered auto-activation is forbidden. This is
technically a denial of service because the dbus-daemon will
run out of memory eventually, but it's a very slow and noisy one,
because all the rejected messages are also very likely to have
been logged to the system log, and its scope is typically limited by
the finite number of activatable services available.
(dbus#234, Simon McVittie)
* Remove __attribute__((__malloc__)) attribute on dbus_realloc(),
which does not meet the criteria for that attribute in gcc 4.7+,
potentially leading to miscompilation (fd.o #107741, Simon McVittie)
* Parse section/group names in .service files according to the syntax
from the Desktop Entry Specification:
· reject control characters and non-ASCII in section/group names
· backslash escapes are not interpreted in section/group names
(dbus#208; David King, Simon McVittie)
* Always use select()-based poll() emulation on Darwin-based OSs
(macOS, etc.) and on Interix, similar to what libcurl does
(dbus#232, dbus!19; Simon McVittie)
* Avoid undefined integer shifts when generating random tokens for
the DBUS_COOKIE_SHA1 mechanism (dbus!45, Simon McVittie)
* Document the max-connections-per-user limit as unimplemented on
Windows, and don't fail tests when it isn't enforced there
(dbus!54, Simon McVittie)
* Avoid unnecessary file descriptors being inherited by dbus-daemon and
dbus-launch subprocesses (dbus!50, Simon McVittie)
* Fix some minor memory leaks
(fd.o #107320, dbus!41, dbus!42; Simon McVittie)
* Don't fail tests if GetConnectionUnixProcessID() succeeds on Windows,
which it normally will since 1.7.x
(dbus#239, dbus!55; Simon McVittie)
* Extend a test timeout to avoid spurious failures in CI
(dbus!26, Simon McVittie)
* Avoid undefined signed integer operations when generating random
message content during regression tests (dbus!46, Simon McVittie)
* Fix build warnings with recent gcc (dbus#208, dbus#225; David King)
* Fix build warnings without libX11 (dbus#228, Simon McVittie)
* Fix whitespace and error behaviour for _dbus_command_from_pid()
(dbus#222, dbus!28; Simon McVittie)
* Fix a race condition in the containers test
(dbus!47, Simon McVittie)
* When built with CMake, install dbus-daemon-launch-helper to
${CMAKE_INSTALL_LIBEXECDIR}, analogous to ${libexecdir} in
Autotools (dbus!9, Simon McVittie)
* When built with CMake and disabling tests, still install
dbus-daemon-launch-helper (dbus!9, Simon McVittie)
Tests and CI:
* Add Travis-CI builds for 64-bit Windows using mingw-w64
(fd.o #105662, Ralf Habacker)
* Add Gitlab-CI integration (fd.o #108177, Simon McVittie)
- Update to dbus 1.13.6 (2018-08-02)
The “vine cutting” release.
Fixes:
* Prevent reading up to 3 bytes beyond the end of a truncated message.
This could in principle be an information leak or denial of service
on the system bus, but is not believed to be exploitable to crash
the system bus or leak interesting information in practice.
(fd.o #107332, Simon McVittie)
* Fix build with gcc 8 -Werror=cast-function-type
(fd.o #107349, Simon McVittie)
* Fix warning from gcc 8 about suspicious use of strncpy() when
populating struct sockaddr_un (fd.o #107350, Simon McVittie)
* Fix a minor memory leak when a DBusServer listens on a new address
(fd.o #107194, Simon McVittie)
* Fix an invalid NULL argument to rmdir() if a nonce-tcp DBusServer
runs out of memory (fd.o #107194, Simon McVittie)
* Fix various memory leaks during unit tests
(fd.o #107194, Simon McVittie)
* Don't use misleading errno-derived error names if getaddrinfo() or
getnameinfo() fails with a code other than EAI_SYSTEM
(fd.o #106395, Simon McVittie)
* Skip tests that require working TCP if we are in a container environment
where 127.0.0.1 cannot be resolved (fd.o #106812, Simon McVittie)
- Update to dbus 1.13.4 (2018-04-30)
The “parsimonious topping” release.
Dependencies:
* All Windows builds now require Windows Vista or later.
(Note that we do not recommend or support use of dbus on operating
systems outside their vendor's security support lifetime, such as Vista.)
Enhancements:
* D-Bus Specification v0.33
· Be clearer about the security properties of TCP transports, which
have no integrity or confidentiality protection and so should not
normally be used, except via the loopback interface on Windows
(fd.o #106004, Simon McVittie)
* On Linux 4.13 or later, <policy group="…"> now uses the SO_PEERGROUPS
credentials-passing socket option to get the effective group IDs
of the initiator of the connection. On platforms where that socket
option is not available, dbus-daemon continues to look up the
connection's user ID in the system user and group databases and
assume that it has the groups that would have been granted by
initgroups(). (fd.o #103737, #97821; Simon McVittie)
* If the dbus-daemon is compiled for Linux with systemd support, it
now informs systemd that it is ready for use via the sd_notify()
mechanism. (fd.o #104641; Michal Sekletar, Simon McVittie)
* Several environment variables set by systemd are no longer passed
on to activated services (fd.o #104641, Simon McVittie)
* Failing to bind a TCP socket to an address produces better error
messages. (fd.o #61922; Simon McVittie, Ralf Habacker)
* Windows builds now set the SO_REUSEADDR and TCP_NODELAY options on
TCP sockets (as Unix builds already did), which should improve
robustness and performance (fd.o #61922, Ralf Habacker)
* Windows executables built with cmake have version information.
When building for Windows with Autotools, only libdbus-1-3.dll
has version information, matching previous behaviour with cmake.
(fd.o #103387, Ralf Habacker)
* The Devhelp documentation index is now in version 2 format
(fd.o #106186, Simon McVittie)
* Give the dbus-daemon man page some scarier warnings about
<allow_anonymous/> and non-local TCP, which are insecure and should
not be used, particularly for the standard system and session buses
(fd.o #106004, Simon McVittie)
Fixes:
* Listening on TCP sockets copes better with IPv6 being disabled
(fd.o #61922; Ralf Habacker, Simon McVittie)
* Fix installation of Ducktype documentation with newer yelp-build
versions (fd.o #106171, Simon McVittie)
* Fix printf formats for pointer-sized integers on 64-bit Windows
(fd.o #105662, Ralf Habacker)
Internal changes:
* The _DBUS_GNUC_WARN_UNUSED_RESULT macro has been replaced with
_DBUS_WARN_UNUSED_RESULT, which is effective with gcc, clang and MSVC
(with cl.exe /analyze). Note that for MSVC compatibility, it must
appear before the return type in function declarations, whereas the
older macro could also have appeared after the arguments.
(fd.o #105460; Daniel Wendt, Ralf Habacker)
- Update to dbus 1.13.2 (2018-03-01)
The “can break a man's arm” release.
Enhancements:
* When a container manager creates an extra server at runtime, services
can now request that messages from connections to that server are
tagged with the container instance ID, providing a fast-path for
identifying such connections. (fd.o #101899, Simon McVittie)
Fixes:
* Increase system dbus-daemon's RLIMIT_NOFILE rlimit before it drops
privileges, because it won't have permission afterwards. This fixes a
regression in dbus 1.10.18 and 1.11.0 which made the standard system bus
more susceptible to deliberate or accidental denial of service.
(fd.o #105165, David King)
- Update to dbus 1.13.0 (2018-02-08)
The “Citispeed Eco 75” release.
This is a new development branch for the adventurous, and comes with a
risk of regressions. OS distributions should stay with the 1.12.x branch,
unless they can commit to following the 1.13.x branch until it reaches
a 1.14.0 stable release at an unspecified point in the future.
In particular, the new Containers API is subject to change and shouldn't
be enabled in distributions yet, even those aimed at early adopters
(hello, Arch Linux).
Behaviour changes:
* DBusServer (and hence the dbus-daemon) no longer accepts usernames
(login names) for the recommended EXTERNAL authentication mechanism,
only numeric user IDs or the empty string. This is not believed to
affect real D-Bus clients in practice, because most D-Bus clients
send numeric user IDs: the only known client implementation that
sends usernames is dbus-java, and that only when run on a system
where the com.sun.security.auth.module.UnixSystem.getUid() method is
not available. (fd.o #104588, Simon McVittie)
Enhancements:
* D-Bus Specification v0.32
· Deprecate hyphen/minus in reversed domain names, recommending
underscores instead. Recommend prepending an underscore to domain
components that start with a digit, which would not be allowed.
(fd.o #103914, Simon McVittie)
· Clarify how the SASL authentication handshake works
(fd.o #104224, Simon McVittie)
· Recommend that the message bus should remove message header fields
that it does not understand. The new item "HeaderFiltering" in the
message bus' Features property indicates that it promises to do so.
(fd.o #100317, Simon McVittie)
* Add experimental support for creating extra servers at runtime, to
be used by app containers like Flatpak or Snap. This API is still
subject to change and is not compiled in by default.
(fd.o #101354, Simon McVittie)
* Improve automated test logging (fd.o #103601, Simon McVittie)
* The dbus-daemon now filters the messages that it relays, removing
header fields that it does not understand. Clients must not rely on
this behaviour unless they have confirmed that they are connected to
a suitable message bus implementation, for example by querying its
Features property. (fd.o #100317, Simon McVittie)
Fixes:
* When iterating the DBusConnection while blocking on a pending call,
don't wait for I/O if that pending call already has a result; and make
sure that whether it has a result is propagated in a thread-safe way.
This prevents certain multi-threaded calling patterns from blocking
until their timeout even when they should have succeeded sooner.
(fd.o #102839; Manish Narang, Michael Searle)
* Do not look up client-supplied strings in the system user database
(NSS or equivalent) when using the recommended EXTERNAL auth mechanism.
This could previously lead to a deadlock or timeout in the presence of
slow or network-dependent NSS modules. (fd.o #104588, Simon McVittie)
* Report the correct error if OOM is reached while trying to listen
on a TCP socket (fd.o #89104, Simon McVittie)
* Fix a crash and an assertion failure in the server side of the
nonce-tcp: transport under error conditions
(fd.o #89104, Simon McVittie)
* Fix assertion failures in recovery from OOM while setting up a
DBusServer (fd.o #89104, Simon McVittie)
* Don't leak a file descriptor if setting up a launchd server fails
(fd.o #89104, Simon McVittie)
* Add a missing space to a warning message (fd.o #103729, Thomas Zajic)
* Fix some memory leaks in automated tests
(fd.o #103600, Simon McVittie)
* Expand ${bindir} correctly when pkg-config is asked for dbus_daemondir
(fd.o #104265, Benedikt Heine)
* On Linux systems with systemd < 237, if ${localstatedir}/lib/dbus doesn't
exist, create it before trying to create ${localstatedir}/lib/dbus/machine-id
(fd.o #104577, Chris Lesiak)
* Fix escaping in dbus-api-design document (fd.o #104925, Philip Withnall)
Internal changes:
* Harden the nonce-tcp: transport against resource leaks and
use-after-free (fd.o #103597, Simon McVittie)
* Make _DBUS_STRING_DEFINE_STATIC more consistent with
_dbus_string_init_const() (fd.o #89104, Simon McVittie)
* Add _DBUS_STRING_INIT_INVALID, analogous to NULL, and use it to
simplify error unwinding code paths (fd.o #89104, Simon McVittie)
* Make the behaviour of _dbus_string_init_const()/_dbus_string_free()
consistent with _dbus_string_init()/_dbus_string_free(): it now clears
the string to _DBUS_STRING_INIT_INVALID, whereas previously it left
the string untouched (fd.o #89104, Simon McVittie)
* Remove automated test data for wire protocol version 0, which has not
been supported since 2005 (fd.o #103758, Simon McVittie)
* Simplify method calls in automated tests
(fd.o #103600, Simon McVittie)
-------------------------------------------------------------------
Wed Nov 9 14:53:47 UTC 2022 - Ralf Habacker <ralf.habacker@freenet.de>
- Drop unused build dependencies to fix building on Tumbleweed
- Drop obsolete build dependencies (boo#1201119)
-------------------------------------------------------------------
Mon Jan 10 10:35:34 UTC 2022 - Ralf Habacker <ralf.habacker@freenet.de>
- Add runtime package as dependency to development package to fix
running cross compiled application (boo#1194430)
-------------------------------------------------------------------
Fri Dec 3 09:13:25 UTC 2021 - Ralf Habacker <ralf.habacker@freenet.de>
- Change all version comparisons for Tumbleweed to >= 1550 (instead
of == 1550). Anything in Tumbleweed counts for current Tumbleweed
plus future CODE branches. Additionally, the Tumbleweed
suse_version code is not chiseled in stone.
-------------------------------------------------------------------
Sat Jul 18 08:46:02 UTC 2020 - Ralf Habacker <ralf.habacker@freenet.de>
- Update to dbus 1.12.20
* On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
* On Solaris and its derivatives, if a cmsg header is truncated, ensure
that we do not overrun the buffer used for fd-passing, even if the
kernel tells us to.
(dbus#304, dbus!165; Andy Fiddaman)
- From 1.12.18
* CVE-2020-12049: If a message contains more file descriptors than can
be sent, close those that did get through before reporting error.
Previously, a local attacker could cause the system dbus-daemon (or
another system service with its own DBusServer) to run out of file
descriptors, by repeatedly connecting to the server and sending fds that
would get leaked.
Thanks to Kevin Backhouse of GitHub Security Lab.
(dbus#294, GHSL-2020-057; Simon McVittie)
* Fix a crash when the dbus-daemon is terminated while one or more
monitors are active (dbus#291, dbus!140; Simon McVittie)
* The dbus-send(1) man page now documents --bus and --peer instead of
the old --address synonym for --peer, which has been deprecated since
the introduction of --bus and --peer in 1.7.6
(fd.o #48816, dbus!115; Chris Morin)
* Fix a wrong environment variable name in dbus-daemon(1)
(dbus#275, dbus!122; Mubin, Philip Withnall)
* Fix formatting of dbus_message_append_args example
(dbus!126, Felipe Franciosi)
* Avoid a test failure on Linux when built in a container as uid 0, but
without the necessary privileges to increase resource limits
(dbus!58, Debian #908092; Simon McVittie)
* When building with CMake, cope with libX11 in a non-standard location
(dbus!129, Tuomo Rinne)
- From 1.12.16
* CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
authentication for identities that differ from the user running the
DBusServer. Previously, a local attacker could manipulate symbolic
links in their own home directory to bypass authentication and connect
to a DBusServer with elevated privileges. The standard system and
session dbus-daemons in their default configuration were immune to this
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
users of DBusServer such as Upstart could be vulnerable.
Thanks to Joe Vennix of Apple Information Security.
(dbus#269, Simon McVittie)
-------------------------------------------------------------------
Tue Jun 9 20:29:29 UTC 2020 - Ralf Habacker <ralf.habacker@freenet.de>
- Use python3 instead of python2 to fix building on Tumbleweed
-------------------------------------------------------------------
Wed Nov 20 13:40:31 UTC 2019 - Ludwig Nussel <lnussel@suse.de>
- inital package for Factory submission
