commit dbus-1 for openSUSE:Factory
Hello community, here is the log from the commit of package dbus-1 for openSUSE:Factory checked in at 2014-11-26 10:35:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dbus-1 (Old) and /work/SRC/openSUSE:Factory/.dbus-1.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dbus-1" Changes: -------- --- /work/SRC/openSUSE:Factory/dbus-1/dbus-1-x11.changes 2014-11-13 09:16:35.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.dbus-1.new/dbus-1-x11.changes 2014-11-26 10:35:34.000000000 +0100 @@ -1,0 +2,25 @@ +Tue Nov 25 07:43:12 UTC 2014 - fstrba@suse.com + +- Update to 1.8.12: + * Fixes: + - Partially revert the CVE-2014-3639 patch by increasing the + default authentication timeout on the system bus from 5 + seconds back to 30 seconds, since this has been reported to + cause boot regressions for some users, mostly with parallel + boot (systemd) on slower hardware. + On fast systems where local users are considered particularly + hostile, administrators can return to the 5 second timeout + (or any other value in milliseconds) by saving this as + /etc/dbus-1/system-local.conf: + <busconfig> + <limit name="auth_timeout">5000</limit> + </busconfig> + (fdo#86431, Simon McVittie) + - Add a message in syslog/the Journal when the auth_timeout is + exceeded (fdo#86431, Simon McVittie) + - Send back an AccessDenied error if the addressed recipient is + not allowed to receive a message (and in builds with + assertions enabled, don't assert under the same conditions). + (fdo#86194, Jacek Bukarewicz) + +------------------------------------------------------------------- dbus-1.changes: same change Old: ---- dbus-1.8.10.tar.gz New: ---- dbus-1.8.12.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dbus-1-x11.spec ++++++ --- /var/tmp/diff_new_pack.8Uwnnf/_old 2014-11-26 10:35:35.000000000 +0100 +++ /var/tmp/diff_new_pack.8Uwnnf/_new 2014-11-26 10:35:35.000000000 +0100 @@ -27,7 +27,7 @@ %define _unitdir %{_libexecdir}/systemd/system %endif Name: dbus-1-x11 -Version: 1.8.10 +Version: 1.8.12 Release: 0 Summary: D-Bus Message Bus System License: GPL-2.0+ or AFL-2.1 dbus-1.spec: same change ++++++ dbus-1.8.10.tar.gz -> dbus-1.8.12.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/HACKING new/dbus-1.8.12/HACKING --- old/dbus-1.8.10/HACKING 2014-11-04 15:51:05.000000000 +0100 +++ new/dbus-1.8.12/HACKING 2014-11-14 20:06:38.000000000 +0100 @@ -11,6 +11,11 @@ Security === +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-security@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group". + Most of D-Bus is security sensitive. Guidelines related to that: - avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/NEWS new/dbus-1.8.12/NEWS --- old/dbus-1.8.10/NEWS 2014-11-06 16:39:02.000000000 +0100 +++ new/dbus-1.8.12/NEWS 2014-11-24 14:01:19.000000000 +0100 @@ -1,3 +1,32 @@ +D-Bus 1.8.12 (2014-11-24) +== + +The “days of fuchsia passed” release. + +Fixes: + +• Partially revert the CVE-2014-3639 patch by increasing the default + authentication timeout on the system bus from 5 seconds back to 30 + seconds, since this has been reported to cause boot regressions for + some users, mostly with parallel boot (systemd) on slower hardware. + + On fast systems where local users are considered particularly hostile, + administrators can return to the 5 second timeout (or any other value + in milliseconds) by saving this as /etc/dbus-1/system-local.conf: + + <busconfig> + <limit name="auth_timeout">5000</limit> + </busconfig> + + (fd.o #86431, Simon McVittie) + +• Add a message in syslog/the Journal when the auth_timeout is exceeded + (fd.o #86431, Simon McVittie) + +• Send back an AccessDenied error if the addressed recipient is not allowed + to receive a message (and in builds with assertions enabled, don't + assert under the same conditions). (fd.o #86194, Jacek Bukarewicz) + D-Bus 1.8.10 (2014-11-10) == diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/README new/dbus-1.8.12/README --- old/dbus-1.8.10/README 2014-11-04 15:51:05.000000000 +0100 +++ new/dbus-1.8.12/README 2014-11-14 20:13:23.000000000 +0100 @@ -29,6 +29,25 @@ only by accident; so you should evaluate carefully whether D-Bus makes sense for your project. +Security +== + +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-security@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group" (you might need to "Show +Advanced Fields" to have that option). + +On Unix systems, the system bus (dbus-daemon --system) is designed +to be a security boundary between users with different privileges. + +On Unix systems, the session bus (dbus-daemon --session) is designed +to be used by a single user, and only accessible by that user. + +We do not currently consider D-Bus on Windows to be security-supported, +and we do not recommend allowing untrusted users to access Windows +D-Bus via TCP. + Note: low-level API vs. high-level binding APIs === diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/bus/bus.c new/dbus-1.8.12/bus/bus.c --- old/dbus-1.8.10/bus/bus.c 2014-11-06 16:30:51.000000000 +0100 +++ new/dbus-1.8.12/bus/bus.c 2014-11-14 19:39:10.000000000 +0100 @@ -1660,7 +1660,7 @@ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, "Rejected receive message", toggles, message, sender, proposed_recipient, requested_reply, - (addressed_recipient == proposed_recipient), NULL); + (addressed_recipient == proposed_recipient), error); _dbus_verbose ("security policy disallowing message due to recipient policy\n"); return FALSE; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/bus/config-parser.c new/dbus-1.8.12/bus/config-parser.c --- old/dbus-1.8.10/bus/config-parser.c 2014-11-04 15:51:05.000000000 +0100 +++ new/dbus-1.8.12/bus/config-parser.c 2014-11-22 11:49:21.000000000 +0100 @@ -438,7 +438,7 @@ * and legitimate auth will fail. If interactive auth (ask user for * password) is allowed, then potentially it has to be quite long. */ - parser->limits.auth_timeout = 5000; /* 5 seconds */ + parser->limits.auth_timeout = 30000; /* 30 seconds */ /* Do not allow a fd to stay forever in dbus-daemon * https://bugs.freedesktop.org/show_bug.cgi?id=80559 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/bus/connection.c new/dbus-1.8.12/bus/connection.c --- old/dbus-1.8.10/bus/connection.c 2014-11-04 15:51:05.000000000 +0100 +++ new/dbus-1.8.12/bus/connection.c 2014-11-22 11:49:21.000000000 +0100 @@ -860,6 +860,14 @@ if (elapsed >= (double) auth_timeout) { + /* Unfortunately, we can't identify the connection: it doesn't + * have a unique name yet, we don't know its uid/pid yet, + * and so on. */ + bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO, + "Connection has not authenticated soon enough, closing it " + "(auth_timeout=%dms, elapsed: %.0fms)", + auth_timeout, elapsed); + _dbus_verbose ("Timing out authentication for connection %p\n", connection); dbus_connection_close (connection); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/configure new/dbus-1.8.12/configure --- old/dbus-1.8.10/configure 2014-11-06 16:40:18.000000000 +0100 +++ new/dbus-1.8.12/configure 2014-11-24 14:02:03.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for dbus 1.8.10. +# Generated by GNU Autoconf 2.69 for dbus 1.8.12. # # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=dbus>. # @@ -591,8 +591,8 @@ # Identity of this package. PACKAGE_NAME='dbus' PACKAGE_TARNAME='dbus' -PACKAGE_VERSION='1.8.10' -PACKAGE_STRING='dbus 1.8.10' +PACKAGE_VERSION='1.8.12' +PACKAGE_STRING='dbus 1.8.12' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus' PACKAGE_URL='' @@ -1513,7 +1513,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures dbus 1.8.10 to adapt to many kinds of systems. +\`configure' configures dbus 1.8.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1587,7 +1587,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of dbus 1.8.10:";; + short | recursive ) echo "Configuration of dbus 1.8.12:";; esac cat <<\_ACEOF @@ -1784,7 +1784,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -dbus configure 1.8.10 +dbus configure 1.8.12 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2503,7 +2503,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by dbus $as_me 1.8.10, which was +It was created by dbus $as_me 1.8.12, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3446,7 +3446,7 @@ # Define the identity of the package. PACKAGE='dbus' - VERSION='1.8.10' + VERSION='1.8.12' cat >>confdefs.h <<_ACEOF @@ -3746,7 +3746,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=8 +LT_REVISION=9 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has @@ -3759,8 +3759,8 @@ DBUS_MAJOR_VERSION=1 DBUS_MINOR_VERSION=8 -DBUS_MICRO_VERSION=10 -DBUS_VERSION=1.8.10 +DBUS_MICRO_VERSION=12 +DBUS_VERSION=1.8.12 @@ -23428,7 +23428,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by dbus $as_me 1.8.10, which was +This file was extended by dbus $as_me 1.8.12, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23494,7 +23494,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -dbus config.status 1.8.10 +dbus config.status 1.8.12 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/configure.ac new/dbus-1.8.12/configure.ac --- old/dbus-1.8.10/configure.ac 2014-11-06 16:34:45.000000000 +0100 +++ new/dbus-1.8.12/configure.ac 2014-11-24 14:01:26.000000000 +0100 @@ -3,7 +3,7 @@ m4_define([dbus_major_version], [1]) m4_define([dbus_minor_version], [8]) -m4_define([dbus_micro_version], [10]) +m4_define([dbus_micro_version], [12]) m4_define([dbus_version], [dbus_major_version.dbus_minor_version.dbus_micro_version]) AC_INIT([dbus],[dbus_version],[https://bugs.freedesktop.org/enter_bug.cgi?product=dbus],[dbus]) @@ -37,7 +37,7 @@ ## increment any time the source changes; set to ## 0 if you increment CURRENT -LT_REVISION=8 +LT_REVISION=9 ## increment if any interfaces have been added; set to 0 ## if any interfaces have been changed or removed. removal has diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbus-1.8.10/ltmain.sh new/dbus-1.8.12/ltmain.sh --- old/dbus-1.8.10/ltmain.sh 2014-09-12 16:53:14.000000000 +0200 +++ new/dbus-1.8.12/ltmain.sh 2014-11-14 19:43:30.000000000 +0100 @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.10 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.2 Debian-2.4.2-1.10" +VERSION="2.4.2 Debian-2.4.2-1.11" TIMESTAMP="" package_revision=1.3337 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de