Debian Security Advisory
DLA-87-1 dbus -- LTS security update
- Date Reported:
- 20 Nov 2014
- Affected Packages:
- dbus
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-3477, CVE-2014-3638, CVE-2014-3639.
- More information:
-
This updates fixes multiple (local) denial of services discovered by Alban Crequy and Simon McVittie.
- CVE-2014-3477
Fix a denial of service (failure to obtain bus name) in newly-activated system services that not all users are allowed to access.
- CVE-2014-3638
Reduce maximum number of pending replies per connection to avoid algorithmic complexity denial of service.
- CVE-2014-3639
The daemon now limits the number of unauthenticated connection slots so that malicious processes cannot prevent new connections to the system bus.
For Debian 6
Squeeze
, these issues have been fixed in dbus version 1.2.24-4+squeeze3 - CVE-2014-3477