Debian Security Advisory

DLA-87-1 dbus -- LTS security update

Date Reported:
20 Nov 2014
Affected Packages:
dbus
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-3477, CVE-2014-3638, CVE-2014-3639.
More information:

This updates fixes multiple (local) denial of services discovered by Alban Crequy and Simon McVittie.

  • CVE-2014-3477

    Fix a denial of service (failure to obtain bus name) in newly-activated system services that not all users are allowed to access.

  • CVE-2014-3638

    Reduce maximum number of pending replies per connection to avoid algorithmic complexity denial of service.

  • CVE-2014-3639

    The daemon now limits the number of unauthenticated connection slots so that malicious processes cannot prevent new connections to the system bus.

For Debian 6 Squeeze, these issues have been fixed in dbus version 1.2.24-4+squeeze3