-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 09 Jun 2019 22:42:06 +0100
Source: dbus
Binary: dbus dbus-1-dbg dbus-1-doc dbus-tests dbus-udeb dbus-user-session dbus-x11 libdbus-1-3 libdbus-1-3-udeb libdbus-1-dev
Architecture: source
Version: 1.10.28-0+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 dbus       - simple interprocess messaging system (daemon and utilities)
 dbus-1-dbg - simple interprocess messaging system (debug symbols)
 dbus-1-doc - simple interprocess messaging system (documentation)
 dbus-tests - simple interprocess messaging system (test infrastructure)
 dbus-udeb  - simple interprocess messaging system (minimal runtime) (udeb)
 dbus-user-session - simple interprocess messaging system (systemd --user integration)
 dbus-x11   - simple interprocess messaging system (X11 deps)
 libdbus-1-3 - simple interprocess messaging system (library)
 libdbus-1-3-udeb - simple interprocess messaging system (minimal library) (udeb)
 libdbus-1-dev - simple interprocess messaging system (development headers)
Changes:
 dbus (1.10.28-0+deb9u1) stretch-security; urgency=medium
 .
   * New upstream stable release
     - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
       authentication for identities that differ from the user running the
       DBusServer. Previously, a local attacker could manipulate symbolic
       links in their own home directory to bypass authentication and
       connect to a DBusServer with elevated privileges. The standard
       system and session dbus-daemons in their default configuration were
       immune to this attack because they did not allow DBUS_COOKIE_SHA1,
       but third-party users of DBusServer such as Upstart could be
       vulnerable.
     - Prevent reading up to 3 bytes beyond the end of a truncated message.
       This could in principle be an information leak or denial of service
       on the system bus, but is not believed to be exploitable to crash
       the system bus or leak interesting information in practice.
     - Stop the dbus-daemon leaking memory (an error message) if delivering
       the message that triggered auto-activation is forbidden. This is
       technically a denial of service because the dbus-daemon will
       run out of memory eventually, but it's a very slow and noisy one,
       because all the rejected messages are also very likely to have
       been logged to the system log, and its scope is typically limited by
       the finite number of activatable services available.
     - Remove __attribute__((__malloc__)) attribute on dbus_realloc(),
       which does not meet the criteria for that attribute in gcc 4.7+,
       potentially leading to miscompilation.
     - Fix build with gcc 8 -Werror=cast-function-type
     - Fix warning from gcc 8 about suspicious use of strncpy() when
       populating struct sockaddr_un
     - Fix installation of Ducktype documentation with newer yelp-build
       versions
   * d/control: Update Vcs-Git, Vcs-Browser
Checksums-Sha1:
 90601f09ea799f8f73742263a29223a50234d0fc 3345 dbus_1.10.28-0+deb9u1.dsc
 3177c3f8e65629dd6be7b60002da80d6bf5366f4 1998830 dbus_1.10.28.orig.tar.gz
 5a7d04e09c0c220b1d035d6a03dab96655cfdbee 833 dbus_1.10.28.orig.tar.gz.asc
 88373bc62a77b94a24893399e62d5e44dea135c1 57500 dbus_1.10.28-0+deb9u1.debian.tar.xz
 f90bb1acac6c403a7ae9c472e49d653dd2309479 8031 dbus_1.10.28-0+deb9u1_source.buildinfo
Checksums-Sha256:
 a4758356f5a71e87804f3b55e1f83f41c10b19ddb84595e322eeb2cd44cdb367 3345 dbus_1.10.28-0+deb9u1.dsc
 63f5b1d57360be5c147ef561e67f8efdd9034e1f12b7aba41feb42b376324552 1998830 dbus_1.10.28.orig.tar.gz
 5da985dafdf223b7f5e0c6e51c608fd7d87e681e0c1eccfa2970be2978c0bed9 833 dbus_1.10.28.orig.tar.gz.asc
 83c883431ee58fbfd7dcae4c763baa904e14b835023edff0dd495270d56d59b3 57500 dbus_1.10.28-0+deb9u1.debian.tar.xz
 f6cf9cfa2d44a4759ab174a38c97808729c09e9c6c292cd1ee30484d8080c34f 8031 dbus_1.10.28-0+deb9u1_source.buildinfo
Files:
 38180eef98e7ca9f6c33e6b5742f087c 3345 admin optional dbus_1.10.28-0+deb9u1.dsc
 9c853418bdc44df243e51aacfa6257c3 1998830 admin optional dbus_1.10.28.orig.tar.gz
 b51f95419107e9b0f52485498df5589e 833 admin optional dbus_1.10.28.orig.tar.gz.asc
 5477e85465b0697f4ca759e8774280e0 57500 admin optional dbus_1.10.28-0+deb9u1.debian.tar.xz
 620d351fbf97d418e600493f8981e0f1 8031 admin optional dbus_1.10.28-0+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl0BQNkACgkQ4FrhR4+B
TE/7/w//WmqVkiGJslULEoy9b45IF4d3OMCkO6ztAphi/S7d52W8+iRh/J/VRsJs
8ZJnpXC+xgBKei35+oj2XGUjyxtV8IR6qKh4lxgjIzQLDTUqrVxWboNDgXELrY59
KoSWV/E9lBlpsYBSFqFui/C1s7uPgID8RndQMhgHNEHmJLD1jhEzQKAEOZLemuWX
A0kblQnCTb+OEhfn6FeaGGPB5BSbLoNgMkx0Lj1e0Gne5CFxgU4w5cDuCuFXZIQC
PBR3PvwzhsW22HZW3i5qpjKLj++dzRpg4h5ACq55Pf/zyof7ZDtS2R4Ew+A3xADm
ADQMNCw++LBvhI/Ij3LeZ57ltyHDioRjOz5sX6UEZ3/jtaNd5wSwgP1snJzFb2pI
WVCP+B0n3t85F9um4daU0PEpIOyIcCDCFFXypxwXfF+mz9Fzyz+Y4KHk0M+uknk7
oxsM+hwrdIToOBJRIQBToGd1BNiJrrTRIZE+kC+PC2xBlswnzdcdHZW+CDDlDrC8
s/WIkVQY2XTf9/KgnB0/iJIjFAgIQCiSUhqu2KUd14L5o42YBA8IJMrzfw/7/b4o
rF9QB664Y3lm85MJ5z23Wfog+aEI89dm5NTbZXFG9RxIBDKi4QmYr12Hd1kIo55m
2WUl5hIDmr6hFgrndcdqbOoGmK/8C8aK4c9yj8msEDYJHBmrEww=
=XtYc
-----END PGP SIGNATURE-----