Log message:
Update to 1.8.12:

D-Bus 1.8.12 (2014-11-24)
==

The “days of fuchsia passed” release.

Fixes:

• Partially revert the CVE-2014-3639 patch by increasing the default
  authentication timeout on the system bus from 5 seconds back to 30
  seconds, since this has been reported to cause boot regressions for
  some users, mostly with parallel boot (systemd) on slower hardware.

  On fast systems where local users are considered particularly hostile,
  administrators can return to the 5 second timeout (or any other value
  in milliseconds) by saving this as /etc/dbus-1/system-local.conf:

  <busconfig>
    <limit name="auth_timeout">5000</limit>
  </busconfig>

  (fd.o #86431, Simon McVittie)

• Add a message in syslog/the Journal when the auth_timeout is exceeded
  (fd.o #86431, Simon McVittie)

• Send back an AccessDenied error if the addressed recipient is not allowed
  to receive a message (and in builds with assertions enabled, don't
  assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)

Log message:
Update dbus to 1.8.10

The "tenants with a leaking roof get priority" release.

Security fixes:

* Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536
  so that CVE-2014-3636 part A cannot exhaust the system bus'
  file descriptors, completing the incomplete fix in 1.8.8.
  (CVE-2014-7824, fd.o #85105; Simon McVittie, Alban Crequy)

Log message:
Update to 1.8.8, many security fixes.

D-Bus 1.8.8 (2014-09-16)
==

The "smashy smashy egg man" release.

Security fixes:

* Do not accept an extra fd in the padding of a cmsg message, which
  could lead to a 4-byte heap buffer overrun.
  (CVE-2014-3635, fd.o #83622; Simon McVittie)

* Reduce default for maximum Unix file descriptors passed per message
  from 1024 to 16, preventing a uid with the default maximum number of
  connections from exhausting the system bus' file descriptors under
  Linux's default rlimit. Distributors or system administrators with a
  more restrictive fd limit may wish to reduce these limits further.

  Additionally, on Linux this prevents a second denial of service
  in which the dbus-daemon can be made to exceed the maximum number
  of fds per sendmsg() and disconnect the process that would have
  received them.
  (CVE-2014-3636, fd.o #82820; Alban Crequy)

* Disconnect connections that still have a fd pending unmarshalling after
  a new configurable limit, pending_fd_timeout (defaulting to 150 seconds),
  removing the possibility of creating an abusive connection that cannot be
  disconnected by setting up a circular reference to a connection's
  file descriptor.
  (CVE-2014-3637, fd.o #80559; Alban Crequy)

* Reduce default for maximum pending replies per connection from 8192 to 128,
  mitigating an algorithmic complexity denial-of-service attack
  (CVE-2014-3638, fd.o #81053; Alban Crequy)

* Reduce default for authentication timeout on the system bus from
  30 seconds to 5 seconds, avoiding denial of service by using up
  all unauthenticated connection slots; and when all unauthenticated
  connection slots are used up, make new connection attempts block
  instead of disconnecting them.
  (CVE-2014-3639, fd.o #80919; Alban Crequy)

Other fixes:

* Check for libsystemd from systemd >= 209, falling back to
  the older separate libraries if not found (Umut Tezduyar Lindskog,
  Simon McVittie)

* On Linux, use prctl() to disable core dumps from a test executable
  that deliberately raises SIGSEGV to test dbus-daemon's handling
  of that condition (fd.o #83772, Simon McVittie)

* Fix compilation with --enable-stats (fd.o #81043, Gentoo #507232;
  Alban Crequy)

* Improve documentation for running tests on Windows (fd.o #41252,
  Ralf Habacker)

Log message:
Add smf support and solaris-specific console_user verification

bump PKGREVISION

Log message:
Update to 1.8.6:

D-Bus 1.8.6 (2014-06-02)
==

Security fixes:

• On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, \ 
silently drop
  the message. This prevents an attack in which a malicious client can
  make dbus-daemon disconnect a system service, which is a local
  denial of service.
  (fd.o #80163, CVE-2014-3532; Alban Crequy)

• Track remaining Unix file descriptors correctly when more than one
  message in quick succession contains fds. This prevents another attack
  in which a malicious client can make dbus-daemon disconnect a system
  service.
  (fd.o #79694, fd.o #80469, CVE-2014-3533; Alejandro Martínez Suárez,
  Simon McVittie, Alban Crequy)

Other fixes:

• When dbus-launch --exit-with-session starts a dbus-daemon but then cannot
  attach to a session, kill the dbus-daemon as intended
  (fd.o #74698, Роман Донченко)

Log message:
Bump PKGREVISION for O_CLOEXEC patch change and libexecinfo detection.

Log message:
Also look for backtrace() in libexecinfo.
Accepted upstream as part of
https://bugs.freedesktop.org/show_bug.cgi?id=69702

Log message:
Switch O_CLOEXEC patch to the version that was committed upstream.

Log message:
Add upstream bug report URL (patch already applied for 1.9.x series)

Log message:
Fix build failure on Linux (PLIST issue)