Mailinglist Archive: opensuse-packaging (129 mails)

< Previous Next >
Re: [opensuse-packaging] new dbus policy rpmlint check in Factory
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Mon, 26 Jan 2009 14:31:28 +0100
  • Message-id: <200901261431.28879.ludwig.nussel@xxxxxxx>
Vincent Untz wrote:
Le lundi 26 janvier 2009, à 11:49 +0100, Ludwig Nussel a écrit :
The dbus package used a too permissive configuration in the past
which led to security problems (CVE-2008-4311). During investigation
of that problem it was found that many packages install dbus
configuration files that contain useless settings, settings that
harm other services or settings that even break after the dbus
security update.

Therefore I've written an rpmlint check that warns about such flaws.
The check 'dbus-policy-missing-allow' will abort the build though.
If you encounter that error you need to fix your dbus policy as the
package will break (ie the service it offers via dbus won't work)
after a dbus with the restrictive config gets checked in.

For which versions of openSUSE will this be enabled? (ie, should we
backport the fixes we do to 11.1 & earlier?)

A dbus package with the default policy set to deny will be released
sooner or later for all currently maintained distributions. For
released distributions it should be sufficient to fix the breakages
only though. The other configuration mistakes are not severe enough
to justify security updates in most cases. We're still evaluating
that though. If you already know that your package breaks or if the
config of your package opens bad security holes just let us
(security@xxxxxxx) know. We will hook you into the update process
then.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-packaging+help@xxxxxxxxxxxx

< Previous Next >