[MacPorts] #46504: Update: dbus 1.8.14
MacPorts
noreply at macports.org
Fri Jan 9 09:19:41 PST 2015
#46504: Update: dbus 1.8.14
----------------------------+--------------------------------
Reporter: mschamschula@… | Owner: macports-tickets@…
Type: update | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.3.3
Keywords: haspatch | Port: dbus
----------------------------+--------------------------------
dbus has been updated to version 1.8.14:
{{{
The “40lb of roofing nails” release.
Security hardening:
• Do not allow calls to UpdateActivationEnvironment from uids other than
the uid of the dbus-daemon. If a system service installs unsafe
security policy rules that allow arbitrary method calls
(such as CVE-2014-8148) then this prevents memory consumption and
possible privilege escalation via UpdateActivationEnvironment.
We believe that in practice, privilege escalation here is avoided
by dbus-daemon-launch-helper sanitizing its environment; but
it seems better to be safe.
• Do not allow calls to UpdateActivationEnvironment or the Stats interface
on object paths other than /org/freedesktop/DBus. Some system services
install unsafe security policy rules that allow arbitrary method calls
to any destination, method and interface with a specified object path;
while less bad than allowing arbitrary method calls, these security
policies are still harmful, since dbus-daemon normally offers the
same API on all object paths and other system services might behave
similarly.
}}}
--
Ticket URL: <https://trac.macports.org/ticket/46504>
MacPorts <https://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list