dbus-1-1.12.20-5.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10711 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z dbus-1-1.12.20-5.5 on GA media These are all security issues fixed in the dbus-1-1.12.20-5.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10711 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10711 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-6107/ SUSE CVE CVE-2006-6107 page https://www.suse.com/security/cve/CVE-2008-0595/ SUSE CVE CVE-2008-0595 page https://www.suse.com/security/cve/CVE-2008-3834/ SUSE CVE CVE-2008-3834 page https://www.suse.com/security/cve/CVE-2008-4311/ SUSE CVE CVE-2008-4311 page https://www.suse.com/security/cve/CVE-2019-12749/ SUSE CVE CVE-2019-12749 page https://www.suse.com/security/cve/CVE-2020-12049/ SUSE CVE CVE-2020-12049 page openSUSE Tumbleweed dbus-1-1.12.20-5.5 dbus-1-devel-1.12.20-5.5 dbus-1-devel-32bit-1.12.20-5.5 libdbus-1-3-1.12.20-5.5 libdbus-1-3-32bit-1.12.20-5.5 dbus-1-1.12.20-5.5 as a component of openSUSE Tumbleweed dbus-1-devel-1.12.20-5.5 as a component of openSUSE Tumbleweed dbus-1-devel-32bit-1.12.20-5.5 as a component of openSUSE Tumbleweed libdbus-1-3-1.12.20-5.5 as a component of openSUSE Tumbleweed libdbus-1-3-32bit-1.12.20-5.5 as a component of openSUSE Tumbleweed Unspecified vulnerability in the match_rule_equal function in bus/signals.c in D-Bus before 1.0.2 allows local applications to remove match rules for other applications and cause a denial of service (lost process messages). CVE-2006-6107 openSUSE Tumbleweed:dbus-1-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-32bit-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-32bit-1.12.20-5.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-6107.html CVE-2006-6107 https://bugzilla.suse.com/224811 SUSE Bug 224811 dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. CVE-2008-0595 openSUSE Tumbleweed:dbus-1-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-32bit-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-32bit-1.12.20-5.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-0595.html CVE-2008-0595 https://bugzilla.suse.com/364532 SUSE Bug 364532 The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. CVE-2008-3834 openSUSE Tumbleweed:dbus-1-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-32bit-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-32bit-1.12.20-5.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3834.html CVE-2008-3834 https://bugzilla.suse.com/432901 SUSE Bug 432901 https://bugzilla.suse.com/495804 SUSE Bug 495804 https://bugzilla.suse.com/659934 SUSE Bug 659934 The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply. CVE-2008-4311 openSUSE Tumbleweed:dbus-1-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-32bit-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-32bit-1.12.20-5.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4311.html CVE-2008-4311 https://bugzilla.suse.com/443307 SUSE Bug 443307 dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. CVE-2019-12749 openSUSE Tumbleweed:dbus-1-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-32bit-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-32bit-1.12.20-5.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12749.html CVE-2019-12749 https://bugzilla.suse.com/1137832 SUSE Bug 1137832 An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. CVE-2020-12049 openSUSE Tumbleweed:dbus-1-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-1.12.20-5.5 openSUSE Tumbleweed:dbus-1-devel-32bit-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-1.12.20-5.5 openSUSE Tumbleweed:libdbus-1-3-32bit-1.12.20-5.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12049.html CVE-2020-12049 https://bugzilla.suse.com/1172505 SUSE Bug 1172505