Subject: CVS commit: pkgsrc/sysutils/dbus
From: Thomas Klausner
Date: 2019-06-11 22:04:23
Message id:

Log Message:
dbus: update to 1.12.16.

dbus 1.12.16 (2019-06-11)

The “tree cat” release.

Security fixes:

• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
  authentication for identities that differ from the user running the
  DBusServer. Previously, a local attacker could manipulate symbolic
  links in their own home directory to bypass authentication and connect
  to a DBusServer with elevated privileges. The standard system and
  session dbus-daemons in their default configuration were immune to this
  attack because they did not allow DBUS_COOKIE_SHA1, but third-party
  users of DBusServer such as Upstart could be vulnerable.
  Thanks to Joe Vennix of Apple Information Security.
  (dbus#269, Simon McVittie)