openSUSE Recommended Update: dbus-1 ______________________________________________________________________________ Announcement ID: openSUSE-RU-2014:1548-1 Rating: moderate References: Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This recommended update for dbus-1 fixes the following issues: - Update to 1.8.12: + Partially revert the CVE-2014-3639 patch by increasing the default authentication timeout on the system bus from 5 seconds back to 30 seconds, since this has been reported to cause boot regressions for some users, mostly with parallel boot (systemd) on slower hardware. On fast systems where local users are considered particularly hostile, administrators can return to the 5 second timeout (or any other value in milliseconds) by saving this as /etc/dbus-1/system-local.conf: <busconfig> <limit name="auth_timeout">5000</limit> </busconfig> (fdo#86431) + Add a message in syslog/the Journal when the auth_timeout is exceeded (fdo#86431) + Send back an AccessDenied error if the addressed recipient is not allowed to receive a message (and in builds with assertions enabled, don't assert under the same conditions). (fdo#86194) Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch 3240 - openSUSE 13.1: zypper in -t patch 3240 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): dbus-1-1.8.12-8.1 dbus-1-debuginfo-1.8.12-8.1 dbus-1-debugsource-1.8.12-8.1 dbus-1-devel-1.8.12-8.1 dbus-1-x11-1.8.12-8.1 dbus-1-x11-debuginfo-1.8.12-8.1 dbus-1-x11-debugsource-1.8.12-8.1 libdbus-1-3-1.8.12-8.1 libdbus-1-3-debuginfo-1.8.12-8.1 - openSUSE 13.2 (x86_64): dbus-1-debuginfo-32bit-1.8.12-8.1 dbus-1-devel-32bit-1.8.12-8.1 libdbus-1-3-32bit-1.8.12-8.1 libdbus-1-3-debuginfo-32bit-1.8.12-8.1 - openSUSE 13.2 (noarch): dbus-1-devel-doc-1.8.12-8.1 - openSUSE 13.1 (i586 x86_64): dbus-1-1.8.12-4.28.2 dbus-1-debuginfo-1.8.12-4.28.2 dbus-1-debugsource-1.8.12-4.28.1 dbus-1-devel-1.8.12-4.28.1 dbus-1-x11-1.8.12-4.28.2 dbus-1-x11-debuginfo-1.8.12-4.28.2 dbus-1-x11-debugsource-1.8.12-4.28.2 libdbus-1-3-1.8.12-4.28.1 libdbus-1-3-debuginfo-1.8.12-4.28.1 - openSUSE 13.1 (x86_64): dbus-1-debuginfo-32bit-1.8.12-4.28.2 dbus-1-devel-32bit-1.8.12-4.28.1 libdbus-1-3-32bit-1.8.12-4.28.1 libdbus-1-3-debuginfo-32bit-1.8.12-4.28.1 - openSUSE 13.1 (noarch): dbus-1-devel-doc-1.8.12-4.28.2 References: http://support.novell.com/security/cve/CVE-2014-3639.html