[opensuse-security] dbus security update in the update test repo
Hi, The update test repo contains among other upcoming updates a dbus security update (CVE-2008-4311). Unfortunately the access policy change required to fix the problem turns up problems in the policy files of several other applications. I.e. the fix breaks other applications. We've already added fixes for bluez, hal, PackageKit and pommed. knetworkmanager will follow soon. Due to the large impact of the update and since we can't test all uses cases ourselves though. So I'd like to ask for help here. So if you are interested in helping to ensure that this update cause as little trouble as possible after it's official release please add our update test repository and install the dbus related updates. You should be experienced enough to be able to reinstall working packages in case of trouble though. You can add the repo and install updates e.g. via zypper 11.1: # zypper ar http://download.opensuse.org/update/11.1-test update-test # zypper patch 11.0: # zypper ar http://download.opensuse.org/update/11.0-test update-test # zypper up 10.3: # zypper ar http://download.opensuse.org/update/10.3-test update-test # zypper up While the new policy is applied immediately after the update dbus needs to be restarted to have it log to /var/log/messages. Rebooting the system is the least painful way to do that. If you see messages like the following after the update in /var/log/messages you've probably discovered a bug in a package that needs additional fixes and we like to know about it: ... dbus-daemon: Rejected send message, 1 matched rules; type="method_call", ... Log entries about messages of type "method_return" are usually false positives caused by bugs in glib bindings. Thanks in advance everyone using the update-test repo! :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Friday 06 February 2009 07:10:58 am Ludwig Nussel wrote:
Hi,
The update test repo contains among other upcoming updates a dbus security update (CVE-2008-4311). Unfortunately the access policy change required to fix the problem turns up problems in the policy files of several other applications. I.e. the fix breaks other applications. We've already added fixes for bluez, hal, PackageKit and pommed. knetworkmanager will follow soon. Due to the large impact of the update and since we can't test all uses cases ourselves though. So I'd like to ask for help here. So if you are interested in helping to ensure that this update cause as little trouble as possible after it's official release please add our update test repository and install the dbus related updates. You should be experienced enough to be able to reinstall working packages in case of trouble though.
You can add the repo and install updates e.g. via zypper
11.1: # zypper ar http://download.opensuse.org/update/11.1-test update-test # zypper patch
11.0: # zypper ar http://download.opensuse.org/update/11.0-test update-test # zypper up
10.3: # zypper ar http://download.opensuse.org/update/10.3-test update-test # zypper up
While the new policy is applied immediately after the update dbus needs to be restarted to have it log to /var/log/messages. Rebooting the system is the least painful way to do that.
If you see messages like the following after the update in /var/log/messages you've probably discovered a bug in a package that needs additional fixes and we like to know about it:
... dbus-daemon: Rejected send message, 1 matched rules; type="method_call", ...
Log entries about messages of type "method_return" are usually false positives caused by bugs in glib bindings.
Thanks in advance everyone using the update-test repo! :-)
I added update repository and during update name resolution started to fail. I got to hit Retry, sometimes few times in the row, to get zypper to continue. After reboot I was without name resolution. What I did was long way around reinstalling almost all stuff from DVD, that would be, probably, cured with adding 'nameserver <my_router_IP>' to /etc/resolv.conf instantly after update, which I did this morning in order to go online and pick regular updates, not from update-test. The /var/log/messages did not contain any error reports like those that you mentioned. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Rajko M. wrote:
I added update repository and during update name resolution started to fail. I got to hit Retry, sometimes few times in the row, to get zypper to continue. After reboot I was without name resolution.
That's bad :-(
What I did was long way around reinstalling almost all stuff from DVD, that would be, probably, cured with adding 'nameserver <my_router_IP>' to /etc/resolv.conf instantly after update, which I did this morning in order to go online and pick regular updates, not from update-test.
A glibc update has been released releated to name resolution. That one is already in the official repo though. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Rajko M. wrote:
I added update repository and during update name resolution started to fail. I got to hit Retry, sometimes few times in the row, to get zypper to continue. After reboot I was without name resolution.
probably bug 473308 cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Ludwig Nussel -
Rajko M.