Mailinglist Archive: opensuse-security (21 mails)

< Previous Next >
Re: [opensuse-security] dbus security update in the update test repo
  • From: "Rajko M." <rmatov101@xxxxxxxxxxx>
  • Date: Sat, 7 Feb 2009 17:51:23 -0600
  • Message-id: <200902071751.24039.rmatov101@xxxxxxxxxxx>
On Friday 06 February 2009 07:10:58 am Ludwig Nussel wrote:
Hi,

The update test repo contains among other upcoming updates a dbus
security update (CVE-2008-4311). Unfortunately the access policy
change required to fix the problem turns up problems in the policy
files of several other applications. I.e. the fix breaks other
applications. We've already added fixes for bluez, hal, PackageKit
and pommed. knetworkmanager will follow soon. Due to the large
impact of the update and since we can't test all uses cases
ourselves though. So I'd like to ask for help here. So if you are
interested in helping to ensure that this update cause as little
trouble as possible after it's official release please add our
update test repository and install the dbus related updates. You
should be experienced enough to be able to reinstall working
packages in case of trouble though.

You can add the repo and install updates e.g. via zypper

11.1:
# zypper ar http://download.opensuse.org/update/11.1-test update-test
# zypper patch

11.0:
# zypper ar http://download.opensuse.org/update/11.0-test update-test
# zypper up

10.3:
# zypper ar http://download.opensuse.org/update/10.3-test update-test
# zypper up

While the new policy is applied immediately after the update dbus
needs to be restarted to have it log to /var/log/messages. Rebooting
the system is the least painful way to do that.

If you see messages like the following after the update in
/var/log/messages you've probably discovered a bug in a package that
needs additional fixes and we like to know about it:

... dbus-daemon: Rejected send message, 1 matched rules;
type="method_call", ...

Log entries about messages of type "method_return" are usually false
positives caused by bugs in glib bindings.

Thanks in advance everyone using the update-test repo! :-)

I added update repository and during update name resolution started to fail.
I got to hit Retry, sometimes few times in the row, to get zypper to continue.
After reboot I was without name resolution.

What I did was long way around reinstalling almost all stuff from DVD, that
would be, probably, cured with adding 'nameserver <my_router_IP>'
to /etc/resolv.conf instantly after update, which I did this morning in order
to go online and pick regular updates, not from update-test.

The /var/log/messages did not contain any error reports like those that you
mentioned.


--
Regards, Rajko
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
References