[arch-dev-public] Dbus on archlinux and permissions
Jan de Groot
jan at jgc.homeip.net
Sun Mar 8 08:38:11 EDT 2009
I'm planning to update dbus to the latest release. Reading the
releasenotes, I found this:
Due to a security issue (CVE-2008-4311) for which a large number of
system services need fixes, the dbus 1.2 stable branch has been split
into two streams. The "1.2.4Xpermissive" branch originates from 1.2.4,
and maintains the unintended permissive default for messages. Releases
1.2.6 and later have a default deny. It is intended that the
permissive branch only be used temporarily by vendors. For more
information, see this mail:
http://lists.freedesktop.org/archives/dbus/2008-December/010769.html
I would like to package the 1.2.4.4permissive release now. As soon as
it's moved into core, I would like to add the non-permissive version to
testing and see what breaks. Doing so, we can close down this security
leak in dbus and have all affected services fixed.
More information about the arch-dev-public
mailing list