Debian Security Advisory
DSA-3161-1 dbus -- security update
- Date Reported:
- 11 Feb 2015
- Affected Packages:
- dbus
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 777545.
In Mitre's CVE dictionary: CVE-2015-0245. - More information:
-
Simon McVittie discovered a local denial of service flaw in dbus, an asynchronous inter-process communication system. On systems with systemd-style service activation, dbus-daemon does not prevent forged ActivationFailure messages from non-root processes. A malicious local user could use this flaw to trick dbus-daemon into thinking that systemd failed to activate a system service, resulting in an error reply back to the requester.
For the stable distribution (wheezy), this problem has been fixed in version 1.6.8-1+deb7u6.
For the unstable distribution (sid), this problem has been fixed in version 1.8.16-1.
We recommend that you upgrade your dbus packages.