Vincent Untz wrote:
Le lundi 26 janvier 2009, à 11:49 +0100, Ludwig Nussel a écrit :
The dbus package used a too permissive configuration in the past which led to security problems (CVE-2008-4311). During investigation of that problem it was found that many packages install dbus configuration files that contain useless settings, settings that harm other services or settings that even break after the dbus security update.
Therefore I've written an rpmlint check that warns about such flaws. The check 'dbus-policy-missing-allow' will abort the build though. If you encounter that error you need to fix your dbus policy as the package will break (ie the service it offers via dbus won't work) after a dbus with the restrictive config gets checked in.
For which versions of openSUSE will this be enabled? (ie, should we backport the fixes we do to 11.1 & earlier?)
A dbus package with the default policy set to deny will be released sooner or later for all currently maintained distributions. For released distributions it should be sufficient to fix the breakages only though. The other configuration mistakes are not severe enough to justify security updates in most cases. We're still evaluating that though. If you already know that your package breaks or if the config of your package opens bad security holes just let us (security@suse.de) know. We will hook you into the update process then. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org