SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for dbus-1-tools-1.14.4-3.4.x86_64.rpm :

* Wed Oct 26 2022 Dirk Müller - update to 1.14.4 (bsc#1204111, CVE-2022-42010, bsc#1204112, CVE-2022-42011, bsc#1204113, CVE-2022-42012): This is a security update for the dbus 1.14.x stable branch, fixing denial-of-service issues (CVE-2022-42010, -42011, -42012) and applying security hardening (dbus#416). Behaviour changes:
* On Linux, dbus-daemon and other uses of DBusServer now create a path-based Unix socket, unix:path=..., when asked to listen on a unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to unix:dir=... on all platforms. Previous versions would have created an abstract socket, unix:abstract=..., in this situation. This change primarily affects the well-known session bus when run via dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring dbus with --enable-user-session and running it on a systemd system, already used path-based Unix sockets and is unaffected by this change. This behaviour change prevents a sandbox escape via the session bus socket in sandboxing frameworks that can share the network namespace with the host system, such as Flatpak. This change might cause a regression in situations where the abstract socket is intentionally shared between the host system and a chroot or container, such as some use-cases of schroot(1). That regression can be resolved by using a bind-mount to share either the D-Bus socket, or the whole /tmp directory, with the chroot or container. (dbus#416, Simon McVittie)
* Denial of service fixes: - Evgeny Vereshchagin discovered several ways in which an authenticated local attacker could cause a crash (denial of service) in dbus-daemon --system or a custom DBusServer. In uncommon configurations these could potentially be carried out by an authenticated remote attacker. - An invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element would cause an assertion failure in debug builds or an out-of-bounds read in production builds. This was a regression in version 1.3.0. (dbus#413, CVE-2022-42011; Simon McVittie) - A syntactically invalid type signature with incorrectly nested parentheses and curly brackets would cause an assertion failure in debug builds. Similar messages could potentially result in a crash or incorrect message processing in a production build, although we are not aware of a practical example. (dbus#418, CVE-2022-42010; Simon McVittie) - A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption in production builds, or an assertion failure in debug builds. This was a regression in version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie) - Preserve errno on failure to open /proc/self/oom_score_adj (dbus!285, Gentoo#834725; Mike Gilbert) - On Linux, don\'t log warnings if oom_score_adj is read-only but does not need to be changed (dbus!291, Simon McVittie) - Slightly improve error-handling for inotify (dbus!235, Simon McVittie) - Don\'t crash if dbus-daemon is asked to watch more than 128 directories for changes (dbus!302, Jan Tojnar)
* Thu Oct 13 2022 Dirk Müller - Disable asserts (bsc#1087072)
* Wed Jun 08 2022 Dirk Müller - version provides- add split provides- remove unused/obsolete pre_checkin.sh
* Thu May 26 2022 Simon Lees - The great dbus package split of 22, in preperation for replacing dbus-daemon with dbus-broker currently there is no functional difference that will change later, this follows a similar setup to RedHat and Debian.
* dbus-daemon is now in its own separate package
* Create a dbus-1-common package with all the files and config that are shared between the dbus-daemon and dbus-broker implementations.
* Create a dbus-1-tools package with the tools eventually we will likely want to move to only recommending this package Redhat and Debian have both already gone down this path.
* Thu Mar 17 2022 Fabian Vogt - Drop use of %{with libalternatives}, there\'s no such bcond defined and in many other places it\'s not optional anyway (boo#1197258)
* Mon Mar 14 2022 Dirk Müller - set runstatedir correctly
* Fri Mar 04 2022 Bjørn Lie - Update to version 1.14.0: + Dependencies: - dbus now requires at least a basic level of support for C99 variadic macros, as implemented in gcc >= 3, all versions of Clang, and MSVC >= 2005. In practice this requirement has existed since version 1.9.2, but it is now official. - dbus now requires a C99-compatible va_copy() macro (or a __va_copy() macro with the same behaviour), except when building for Windows using MSVC and CMake. - On Unix platforms, if getpwnam_r() and getgrnam_r() are implemented, they must be POSIX-conformant. The non-POSIX signature seen in ancient Solaris versions will no longer work. - GLib >= 2.38 is required if full test coverage is enabled (reduced from 2.40 in dbus 1.12.x.) - Building using CMake now requires CMake 3.4. - Building documentation using CMake now requires xsltproc, Docbook DTDs (for example docbook-xml on Debian derivatives), and Docbook XSLT stylesheets (for example docbook-xsl on Debian derivatives). Using KDE\'s meinproc4 documentation processor is no longer supported. + Build-time configuration changes: Move CMake build system to top level, matching normal practice for CMake projects + Deprecations: - Third-party software should install default dbus policies for the system bus into ${datadir}/dbus-1/system.d (this has been supported since dbus 1.10, released in August 2015). Installing default dbus policies in ${sysconfdir}/dbus-1/system.d is now considered to be deprecated. Policy files in ${sysconfdir}/dbus-1/system.d continue to be read, but this directory should only be used by system administrators wishing to override the default policies. - The ${datadir} applicable to dbus is usually /usr/share and the ${sysconfdir} is usually /etc. - A similar pattern applies to the session bus policies in session.d. - The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 - The dbus-daemon man page now has scarier warnings about and non-local TCP, which are insecure and should not be used, particularly for the standard system and session buses. - DBusServer (and hence the dbus-daemon) no longer accepts usernames (login names) for the recommended EXTERNAL authentication mechanism, only numeric user IDs or the empty string. See 1.13.0 release notes for full details. + New features: - On Linux 4.13 or later when built against a suitable glibc version, GetConnectionCredentials() now includes UnixGroupIDs, the effective group IDs of the initiator of the connection, taken from SO_PEERGROUPS. - On Linux 4.13 or later, now uses the SO_PEERGROUPS credentials-passing socket option to get the effective group IDs of the initiator of the connection. See 1.13.4 release notes for details. - Add a --sender option to dbus-send, which requests a name and holds it until the signal has been sent - dbus-daemon and rules can now specify a send_destination_prefix attribute, which is like a combination of send_destination and the arg0namespace keyword in match rules. See 1.13.12 release notes for more details. - The dbus-daemon now filters the messages that it relays, removing header fields that it does not understand. Clients must not rely on this behaviour unless they have confirmed that they are connected to a suitable message bus implementation, for example by querying its Features property. - The dbus-daemon now emits a signal, ActivatableServicesChanged, when the list of activatable services may have changed. Support for this signal can be discovered by querying the Features property. - It is now possible to disable traditional (non-systemd) service activation at build-time (Autotools: - -disable-traditional-activation, CMake: - DENABLE_TRADITIONAL_ACTIVATION=OFF). See 1.13.10 release notes for details. - The API reference manual can be built as a Qt compiled help file if qhelpgenerator(-qt5) is available. See 1.13.16 release notes for details. + Miscellaneous behaviour changes: - When using the \"user bus\" (--enable-user-session), put the dbus-daemon in the session slice - Several environment variables set by systemd are no longer passed on to activated services - If the dbus-daemon is compiled for Linux with systemd support, it now informs systemd that it is ready for use via the sd_notify() mechanism. - Tarball releases no longer contain pre-2007 changelogs and are now compressed with xz, making them around 35% smaller.- Drop conditionals for old obsolete versions of openSUSE.- Rebase patches with quilt.- Use https for source and sig URL.
* Tue Mar 01 2022 Bjørn Lie - Update to version 1.12.22: + On Linux, when using traditional (non-systemd) service activation, don\'t log warnings about failing to reset OOM score adjustment if the process is already more susceptible to the OOM killer, as user processes usually are with systemd ≥ 250. + On Linux, when using traditional (non-systemd) system bus activation, reset the OOM score adjustment to 0 as intended. If the system dbus-daemon is protected from the OOM killer, this avoids that protection unintentionally being inherited by every system service. + Avoid malloc() after fork on non-GNU libc. + Fix build with clang 13 by using Standard C offsetof where available. + Fix build of tests on FreeBSD. + Make documentation build more reproducible. + On Unix, make X11 autolaunch cope with slashes in DISPLAY. + Don\'t try to raise RLIMIT_NOFILE beyond OPEN_MAX on macOS. + Fix compilation if embedded tests are enabled but verbose mode and stats are both disabled. + On Linux, fix a race condition in the integration test for transient services.
* Mon Nov 08 2021 Callum Farmer - Add CONFIG parameter to %sysusers_generate_pre
* Thu Sep 23 2021 Stefan Schubert - Added BuildRequires alts for libalternatives.
* Thu Sep 16 2021 Stefan Schubert - Fixed spec file regarding removing old update-alternatives entries.
* Wed Aug 04 2021 Stefan Schubert - Use libalternatives instead of update-alternatives.
* Wed Apr 07 2021 Dirk Müller - avoid listing cmake directory - owned by cmake package
* Fri Dec 04 2020 Ludwig Nussel - retire /lib/dbus-1/system-services as it\'s deprecated
* Fri Oct 16 2020 Ludwig Nussel - prepare usrmerge (boo#1029961)
* Fri Aug 21 2020 Dan Čermák - Require diffutils in post so that cmp is available
* Thu Jul 16 2020 Matthias Eliasson - Update to 1.12.20
* On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if is used. Like Unix filesystems, D-Bus\' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Thanks to Daniel Onaca. (dbus#305, dbus!166; Simon McVittie)- From 1.12.18
* CVE-2020-12049: If a message contains more file descriptors than can be sent, close those that did get through before reporting error. Previously, a local attacker could cause the system dbus-daemon (or another system service with its own DBusServer) to run out of file descriptors, by repeatedly connecting to the server and sending fds that would get leaked. Thanks to Kevin Backhouse of GitHub Security Lab. (dbus#294, GHSL-2020-057; Simon McVittie)
* Fix a crash when the dbus-daemon is terminated while one or more monitors are active (dbus#291, dbus!140; Simon McVittie)
* The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 (fd.o #48816, dbus!115; Chris Morin)
* Fix a wrong environment variable name in dbus-daemon(1) (dbus#275, dbus!122; Mubin, Philip Withnall)
* Fix formatting of dbus_message_append_args example (dbus!126, Felipe Franciosi)
* Avoid a test failure on Linux when built in a container as uid 0, but without the necessary privileges to increase resource limits (dbus!58, Debian #908092; Simon McVittie)
* When building with CMake, cope with libX11 in a non-standard location (dbus!129, Tuomo Rinne)- Run spec-cleaner
* Sun Jan 19 2020 Stefan Brüns - Move generation of API docs to a separate package, avoid doxygen dependency for building main package.- Build x11 and devel-doc (API doc) using _multibuild.
* Sun Jan 19 2020 Stefan Brüns - Drop no longer required call to autoreconf, remove obsolete BuildRequires for libtool and autoconf-archive.
* Fri Jan 17 2020 Thorsten Kukuk - Remove left overs from blocking restart on update from May 29th 2019- Use sysusers.d to create messagebus user
* Tue Dec 03 2019 Simon Lees - Verify signatures
* dbus-1.keyring - Key for Simon McVittie (smcv) from the Debian developer keyring.- Drop dbus_at_console.ck not needed- Clean up sources
* Source2 dbus-1.desktop now Source4
* baselib.conf now source 3- Update to 1.12.16
* CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of Apple Information Security. (bsc#1137832, dbus#269, Simon McVittie)- From 1.12.14
* Raise soft fd limit to match hard limit, even if unprivileged. This makes session buses with many clients, or with clients that make heavy use of fd-passing, less likely to suffer from fd exhaustion. (dbus!103, Simon McVittie)
* If a privileged dbus-daemon has a hard fd limit greater than 64K, don\'t reduce it to 64K, ensuring that we can put back the original fd limits when carrying out traditional (non-systemd) activation. This fixes a regression with systemd >= 240 in which system services inherited dbus-daemon\'s hard and soft limit of 64K fds, instead of the intended soft limit of 1K and hard limit of 512K or 1M. (dbus!103, Debian#928877; Simon McVittie)
* Fix build failures caused by an AX_CODE_COVERAGE API change in newer autoconf-archive versions (dbus#249, dbus!88; Simon McVittie)
* Fix build failures with newer autoconf-archive versions that include AX_-prefixed shell variable names (dbus#249, dbus!86; Simon McVittie)
* Parse section/group names in .service files according to the syntax from the Desktop Entry Specification, rejecting control characters and non-ASCII in section/group names (dbus#208, David King)
* Fix various -Wlogical-op issues that cause build failure with newer gcc versions (dbus#225, dbus!109; David King)
* Don\'t assume we can set permissions on a directory, for the benefit of MSYS and Cygwin builds (dbus#216, dbus!110; Simon McVittie)
* Don\'t overwrite PKG_CONFIG_PATH and related environment variables when the pkg-config-based version of DBus1Config is used in a CMake project (dbus#267, dbus!96; Clemens Lang)- Drop now upstream Patches
* dbus-no-ax-check.patch
* dbus-new-autoconf-archive.patch
* Wed Nov 20 2019 Stefan Brüns - Fix two inconsistencies with _libexecdir, sysusers.d and tmpfiles.d are always in %{_prefix}/lib/.- Drop update-desktop-files BuildRequires, once added for mimetypes.prov which is no longer part of update-desktop-files, and dbus-1.desktop does not even handles a single mimetype.
* Wed May 29 2019 Simon Lees - Replace DISABLE_RESTART_ON_UPDATE with %service_del_postun_without_restart- Remove version specific code to block all updates on restart as hopefully no tumbleweed versions still have code causing those issues (was only present for a few snapshots)
* Wed Apr 24 2019 Tomáš Chvátal - Remove the Leap42 conditionals that cause file conflict with filesystem package
* Fri Feb 22 2019 Franck Bui - Drop use of $FIRST_ARG in .spec The use of $FIRST_ARG was probably required because of the %service_
* rpm macros were playing tricks with the shell positional parameters. This is bad practice and error prones so let\'s assume that no macros should do that anymore and hence it\'s safe to assume that positional parameters remains unchanged after any rpm macro call.
* Wed Jan 30 2019 Tomáš Chvátal - Update to 1.12.12:
* Reference the freedesktop.org Code of Conduct (Simon McVittie)
* Stop the dbus-daemon leaking memory (an error message) if delivering the message that triggered auto-activation is forbidden. This is technically a denial of service because the dbus-daemon will run out of memory eventually, but it\'s a very slow and noisy one, because all the rejected messages are also very likely to have been logged to the system log, and its scope is typically limited by the finite number of activatable services available. (dbus#234, Simon McVittie)
* Remove __attribute__((__malloc__)) attribute on dbus_realloc(), which does not meet the criteria for that attribute in gcc 4.7+, potentially leading to miscompilation (fd.o #107741, Simon McVittie)
* Fix some small O(1) memory leaks (fd.o #107320, Simon McVittie)
* Fix printf formats for pointer-sized integers on 64-bit Windows (fd.o #105662, Ralf Habacker)
* Always use select()-based poll() emulation on Darwin-based OSs (macOS, etc.) and on Interix, similar to what libcurl does (dbus#232, dbus!19; Simon McVittie)
* Extend a test timeout to avoid spurious failures in CI (dbus!26, Simon McVittie)
* Wed Jan 30 2019 Tomáš Chvátal - Add patch to build with new autoconf-archive, there is now bash variable AX_BLA that gets detected and autoreconf aborts; thus rather just disable the pointless check:
* dbus-no-ax-check.patch- Add patch to fix codecoverage m4 macro changes in autoconf-archive:
* dbus-new-autoconf-archive.patch
* Tue Jan 15 2019 alarrosaAATTsuse.com- Make libdbus-1-3 own the %{_datadir}/dbus-1/system.d directory
* Mon Jan 14 2019 kukukAATTsuse.de- Use %license instead of %doc [bsc#1082318]
 
ICM