-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Jun 2019 22:42:06 +0100
Source: dbus
Binary: dbus dbus-1-dbg dbus-1-doc dbus-tests dbus-udeb dbus-user-session dbus-x11 libdbus-1-3 libdbus-1-3-udeb libdbus-1-dev
Architecture: all
Version: 1.10.28-0+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-tests - simple interprocess messaging system (test infrastructure)
 dbus-udeb  - simple interprocess messaging system (minimal runtime) (udeb)
 dbus-user-session - simple interprocess messaging system (systemd --user integration)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-3-udeb - simple interprocess messaging system (minimal library) (udeb)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Changes:
 dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium
 .
   * New upstream stable release
     - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
       authentication for identities that differ from the user running the
       DBusServer. Previously, a local attacker could manipulate symbolic
       links in their own home directory to bypass authentication and
       connect to a DBusServer with elevated privileges. The standard
       system and session dbus-daemons in their default configuration were
       immune to this attack because they did not allow DBUS_COOKIE_SHA1,
       but third-party users of DBusServer such as Upstart could be
       vulnerable.
     - Prevent reading up to 3 bytes beyond the end of a truncated message.
       This could in principle be an information leak or denial of service
       on the system bus, but is not believed to be exploitable to crash
       the system bus or leak interesting information in practice.
     - Stop the dbus-daemon leaking memory (an error message) if delivering
       the message that triggered auto-activation is forbidden. This is
       technically a denial of service because the dbus-daemon will
       run out of memory eventually, but it's a very slow and noisy one,
       because all the rejected messages are also very likely to have
       been logged to the system log, and its scope is typically limited by
       the finite number of activatable services available.
     - Remove __attribute__((__malloc__)) attribute on dbus_realloc(),
       which does not meet the criteria for that attribute in gcc 4.7+,
       potentially leading to miscompilation.
     - Fix build with gcc 8 -Werror=cast-function-type
     - Fix warning from gcc 8 about suspicious use of strncpy() when
       populating struct sockaddr_un
     - Fix installation of Ducktype documentation with newer yelp-build
       versions
   * d/control: Update Vcs-Git, Vcs-Browser
Checksums-Sha1:
 d080e7dbef60c4ae24050240fef8ec0ca3062b00 1414606 dbus-1-doc_1.10.28-0+deb9u1_all.deb
 ee0eb0eb054e89a114a981b75f21715aaa1f3fbe 79250 dbus-user-session_1.10.28-0+deb9u1_all.deb
 ed728dfac037a0913fb71174cb5cfaf0f9e25b9c 8349 dbus_1.10.28-0+deb9u1_all.buildinfo
Checksums-Sha256:
 2944b71f3ceff6e71b69f2e4212c62f5990f802796695ac83cacca939116371c 1414606 dbus-1-doc_1.10.28-0+deb9u1_all.deb
 3e7835869c4d490ebde78f17794f169c0c57668da73c7199138e153a8bb55e90 79250 dbus-user-session_1.10.28-0+deb9u1_all.deb
 5b48028598af385161e13d461668c40d1669830752c9b3931af809645f7bb3bc 8349 dbus_1.10.28-0+deb9u1_all.buildinfo
Files:
 c8dd0357f0341391489174be6232470e 1414606 doc optional dbus-1-doc_1.10.28-0+deb9u1_all.deb
 8ec40aa85329ed83072c5ba4e2101943 79250 admin optional dbus-user-session_1.10.28-0+deb9u1_all.deb
 ca58fd29b95b05ebcce808a3120c406f 8349 admin optional dbus_1.10.28-0+deb9u1_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEDxUushKJ39ldCqDnAY87dXAcGaQFAl0BV0sACgkQAY87dXAc
GaTCpBAAi/NAemDhyOxTWHCdwqP9scpF3HjTrTMilC9/gUCbBkGyDXqSOJz9Qdwe
FlhmovNIVupHXgk/r5epaIq7Kt2MVqklHA8pourqlILtUWQD38e14f8zYOoWmWvc
G8phb6dFHMqV6O8T083OAzGQnbC/2Xf/fZ3LGfpttlxtbJGaiFXW9EfP+TbSz5es
85WevnwiPE9FYG658cqzNvC+a48+lqcRyFLvgDtTUnmvigNsQYQ5caJN8LWr2vov
M+55HAVDeHWr5lfAGsfaiNAL/MreZUv1msh8JnuXVE8UvIRS4JHYj+Wopr/EwBPj
P8W/Jwl2yLrIH1NFzswcx8cS3XMkamnBBBUiIDIHy5aEIKwjj5IeVXnoc+K3ZAIj
jz+SDGFUtANNJ4N6Ui1F/qdTDmfesDDFLhUiOxfy/A3S/330gMcLtvzlYA51ThPy
MBIOpgRKGZkEp81u9RNeU+OLJxXgLzyv1hUWpngSblT8NZ3cohXIOGGNeC3ENwp5
Fcq2r0ecebdKg1B0v67726X+zIMazhrLtO23Q7Kvpq27e8Al9kf8cYxWQN1zZ/1t
wadikDOe52MRn65ylHeUo0m8bD8suwYjEtGrp7LiXKAJM6/9pntoJOsrdz743eF6
7mZi4jc/4qCGQdSFwMb5syC5N5rAi3Oz25pwEss9dRCTJA7g7vM=
=cSQd
-----END PGP SIGNATURE-----