Debian Security Advisory
DLA-87-1 dbus -- LTS security update
- Date Reported:
- 20 Nov 2014
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-3477, CVE-2014-3638, CVE-2014-3639.
- More information:
This updates fixes multiple (local) denial of services discovered by Alban Crequy and Simon McVittie.
Fix a denial of service (failure to obtain bus name) in newly-activated system services that not all users are allowed to access.
Reduce maximum number of pending replies per connection to avoid algorithmic complexity denial of service.
The daemon now limits the number of unauthenticated connection slots so that malicious processes cannot prevent new connections to the system bus.
For Debian 6
Squeeze, these issues have been fixed in dbus version 1.2.24-4+squeeze3