-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Jun 2019 22:42:06 +0100
Source: dbus
Binary: dbus dbus-1-dbg dbus-1-doc dbus-tests dbus-udeb dbus-user-session dbus-x11 libdbus-1-3 libdbus-1-3-udeb libdbus-1-dev
Architecture: amd64
Version: 1.10.28-0+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: amd64 Build Daemon (x86-grnet-01) <buildd_amd64-x86-grnet-01@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-tests - simple interprocess messaging system (test infrastructure)
 dbus-udeb  - simple interprocess messaging system (minimal runtime) (udeb)
 dbus-user-session - simple interprocess messaging system (systemd --user integration)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-3-udeb - simple interprocess messaging system (minimal library) (udeb)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Changes:
 dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium
 .
   * New upstream stable release
     - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
       authentication for identities that differ from the user running the
       DBusServer. Previously, a local attacker could manipulate symbolic
       links in their own home directory to bypass authentication and
       connect to a DBusServer with elevated privileges. The standard
       system and session dbus-daemons in their default configuration were
       immune to this attack because they did not allow DBUS_COOKIE_SHA1,
       but third-party users of DBusServer such as Upstart could be
       vulnerable.
     - Prevent reading up to 3 bytes beyond the end of a truncated message.
       This could in principle be an information leak or denial of service
       on the system bus, but is not believed to be exploitable to crash
       the system bus or leak interesting information in practice.
     - Stop the dbus-daemon leaking memory (an error message) if delivering
       the message that triggered auto-activation is forbidden. This is
       technically a denial of service because the dbus-daemon will
       run out of memory eventually, but it's a very slow and noisy one,
       because all the rejected messages are also very likely to have
       been logged to the system log, and its scope is typically limited by
       the finite number of activatable services available.
     - Remove __attribute__((__malloc__)) attribute on dbus_realloc(),
       which does not meet the criteria for that attribute in gcc 4.7+,
       potentially leading to miscompilation.
     - Fix build with gcc 8 -Werror=cast-function-type
     - Fix warning from gcc 8 about suspicious use of strncpy() when
       populating struct sockaddr_un
     - Fix installation of Ducktype documentation with newer yelp-build
       versions
   * d/control: Update Vcs-Git, Vcs-Browser
Checksums-Sha1:
 7535bb7e6c982b81fd4aa397e5bc02f5a933b05c 4316146 dbus-1-dbg_1.10.28-0+deb9u1_amd64.deb
 541e396de994cb17cd32f98c5bd78357590c45a7 337460 dbus-tests_1.10.28-0+deb9u1_amd64.deb
 46f10c4127ef42445265fc54fe3a1d4c3ce7b572 75222 dbus-udeb_1.10.28-0+deb9u1_amd64.udeb
 e5db57bfb3c473894292e8cbb1be198e24115d4e 91722 dbus-x11_1.10.28-0+deb9u1_amd64.deb
 e7d08df2bc87acda6c5b5e737efa6db82495b868 10007 dbus_1.10.28-0+deb9u1_amd64.buildinfo
 2dca1d71da3df3db1ed02b9fdc5d96bb4ba38adb 211694 dbus_1.10.28-0+deb9u1_amd64.deb
 c6e86b7a46af02b9cc07f33019ca076e2c7f9aac 92144 libdbus-1-3-udeb_1.10.28-0+deb9u1_amd64.udeb
 b7860b49607909aadca07b9eade8d5330ff4a123 195362 libdbus-1-3_1.10.28-0+deb9u1_amd64.deb
 c93765a438e8ba0fc31c98f3ea48d2ae23b3ee70 231118 libdbus-1-dev_1.10.28-0+deb9u1_amd64.deb
Checksums-Sha256:
 0535e4b0d60ae689fb966dc657355b9452102f6e3a8724c69f3bd884736c2b3c 4316146 dbus-1-dbg_1.10.28-0+deb9u1_amd64.deb
 b1f87655361c2f50ae569ae57d43ac84be1f3421c3ec06c20b68e3d8c400e5ac 337460 dbus-tests_1.10.28-0+deb9u1_amd64.deb
 0124aca5eb962a0e57f7367ff535bc544327c532fe220110a4dc5cb7678597bb 75222 dbus-udeb_1.10.28-0+deb9u1_amd64.udeb
 f996d9277d8b605dbaf977b924bcf549162644377c4f1478d2c50d66e5cc7ad7 91722 dbus-x11_1.10.28-0+deb9u1_amd64.deb
 4653a4db067b1d96322962eb2379d71f0e4ce4edfd84133920367e174d253e5c 10007 dbus_1.10.28-0+deb9u1_amd64.buildinfo
 ef31b1f263b64e51e5a0a225b9cf137f48cb557369eaf136ba60ac0f280b9801 211694 dbus_1.10.28-0+deb9u1_amd64.deb
 8c80589ae16029ff3003a9a6b53cb2598f384d8ad41539a9375e0cb74fbba59c 92144 libdbus-1-3-udeb_1.10.28-0+deb9u1_amd64.udeb
 6350b67563a3c0e546545286019cbb3b3c59547ef2c5608b4108dac7f42b7465 195362 libdbus-1-3_1.10.28-0+deb9u1_amd64.deb
 00c82bf88487fac0c291ceb4099f2f614e3fa743aad216f47981f94593cd9103 231118 libdbus-1-dev_1.10.28-0+deb9u1_amd64.deb
Files:
 661e64db1829594031af8aa77767f26a 4316146 debug extra dbus-1-dbg_1.10.28-0+deb9u1_amd64.deb
 0a39543dda6b1cdc4e9c65c361d37ad9 337460 misc extra dbus-tests_1.10.28-0+deb9u1_amd64.deb
 4d9796ce94fba823c9ac437bd70aaca1 75222 debian-installer extra dbus-udeb_1.10.28-0+deb9u1_amd64.udeb
 aac239778e162d869f8a0a2a5b7790a9 91722 x11 optional dbus-x11_1.10.28-0+deb9u1_amd64.deb
 2b5612660cf51073de07e364790b18a2 10007 admin optional dbus_1.10.28-0+deb9u1_amd64.buildinfo
 14e8a21053eef7b693307d4f6dfef391 211694 admin standard dbus_1.10.28-0+deb9u1_amd64.deb
 d09860fb472f6fb40f454055b2b1a3a5 92144 debian-installer extra libdbus-1-3-udeb_1.10.28-0+deb9u1_amd64.udeb
 538b05f99bc5b50fc5f4e942878c2586 195362 libs optional libdbus-1-3_1.10.28-0+deb9u1_amd64.deb
 6df28dd4c97ebdc0b7d524e54df2bbc4 231118 libdevel optional libdbus-1-dev_1.10.28-0+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE56RkdImmGnu/qTMEtnmMmMOJfQ0FAl0BWPoACgkQtnmMmMOJ
fQ1eLw//WV29gYOdeTd4WT5MEau1rY5qiCkQemlVQheMo62POLct2JiD9NlQzM5I
tWHlH4F63OxbyikCAOlchPW00QOiR+s5DwNfhJxj8nDw+9yZSNjGXXMshrSkIcf8
5lVSa3UVuE1+26klSLt6n4bL2MxysTo0O7XP/n85FS5/fXthnwKOgeuN8d7r6YmV
zfdGyTveB1qcAKzvA4jaiq2xMMezRpMx1/SGwlv5SCh5u1FzcRpipabKJWXQF6rV
fnu4C9eBBd/63WSOdqpUR0nsFZD/YNB921A3gty8deiU1fwe4R5hBKSEH7lN+ZMZ
QJpHH1kvtt3nhmpH0WK0lzz176VfdlqM0SFY8lK6vFz02oF84IbitK7oJn/++74E
AIjtg1yIJOkAgz+DPEhwz3DuXnTX7F/OgRHf7jcocc6FWV9oQIMcWHbVI7eF/B3N
Q66OA0me/hlHtf38LE7I9FCD97STfg+Gb5dv4DYKtgrFeNSIH9cCIgUgNtqF1fzi
e7sJ4liJu5oRYaY/yFb+skW1lSZopfqFn7kCZPMaNPZT92O/NZoH0o9VWb8BABVu
Nup82aMN9VzGN+kP2KKs3PH5UXRNUfsgLvvB76rnT2z1L7LDX+6HXlUP2k4XgTz8
xC4a+57c+ki9n6k0iCdX/0mKw57oeAE/y4T/B/yV92kVJwqEZPg=
=VCkg
-----END PGP SIGNATURE-----