Log message:
Update to 1.10.0:
D-Bus 1.10.0 (2015-08-25)
==
The â0x20â release.
This is a new stable branch, recommended for use in OS distributions.
Fixes since 1.9.20:
⢠distribute test/tap-test.sh.in, even if the tarball was built without
tests enabled (fd.o #91684, Simon McVittie)
⢠work around a fd leak in libcap-ng < 0.7.7 (fd.o #91684, Simon McVittie)
Summary of major changes since 1.8.0:
⢠The basic setup for the well-known system and session buses is
now done in read-only files in ${datadir} (normally /usr/share).
See the NEWS entry for 1.9.18 for details.
⢠AppArmor integration has been merged, with features similar to the
pre-existing SELinux integration. It is mostly compatible with the
patches previously shipped by Ubuntu, with one significant change:
Ubuntu's GetConnectionAppArmorSecurityContext method has been superseded
by GetConnectionCredentials and was not included.
⢠The --enable-user-session configure option can be enabled
by OS integrators intending to use systemd to provide a session bus
per user (in effect, treating all concurrent graphical and non-graphical
login sessions as one large session).
⢠The new listenable address mode "unix:runtime=yes" listens on
$XDG_RUNTIME_DIR/bus, the same AF_UNIX socket used by the systemd
user session. libdbus and "dbus-launch --autolaunch" will connect to
this address by default. GLib ⥠2.45.3 and sd-bus ⥠209 have a
matching default.
⢠All executables are now dynamically linked to libdbus-1.
Previously, some executables, most notably dbus-daemon, were statically
linked to a specially-compiled variant of libdbus. This results in
various private functions in the _dbus namespace being exposed by the
shared library. These are not API, and must not be used outside
the dbus source tree.
⢠On platforms with ELF symbol versioning, all public symbols
are versioned LIBDBUS_1_3.
New bus APIs:
⢠org.freedesktop.DBus.GetConnectionCredentials returns
LinuxSecurityLabel where supported
⢠org.freedesktop.DBus.Monitoring interface (privileged)
· BecomeMonitor method supersedes match rules with eavesdrop=true,
which are now deprecated
⢠org.freedesktop.DBus.Stats interface (semi-privileged)
· now enabled by default
· new GetAllMatchRules method
New executables:
⢠dbus-test-tool
⢠dbus-update-activation-environment
New optional dependencies:
⢠The systemd: pseudo-transport requires libsystemd or libsd-daemon
⢠Complete documentation requires Ducktype and yelp-tools
⢠Full test coverage requires GLib 2.36 and PyGI
⢠AppArmor integration requires libapparmor and optionally libaudit
Dependencies removed:
⢠dbus-glib
D-Bus 1.9.20 (2015-08-06)
==
The âRemember Tomorrowâ release.
This is a release-candidate for D-Bus 1.10.0. OS distribution vendors
should test it.
Fixes:
⢠Don't second-guess what the ABI of poll() is, allowing it to be used
on Integrity RTOS and other unusual platforms (fd.o #90314;
Rolland Dudemaine, Simon McVittie)
⢠Don't duplicate audit subsystem integration if AppArmor and SELinux are
both enabled (fd.o #89225, Simon McVittie)
⢠Log audit events for AppArmor/SELinux policy violations whenever
we have CAP_AUDIT_WRITE, even if not the system bus
(fd.o #83856, Laurent Bigonville)
D-Bus 1.9.18 (2015-07-21)
==
The âPirate Eliteâ release.
Configuration changes:
⢠The basic setup for the well-known system and session buses is now done
in read-only files in ${datadir}, moving a step closer to systems
that can operate with an empty /etc directory. In increasing order
of precedence:
· ${datadir}/dbus-1/s*.conf now perform the basic setup such as setting
the default message policies.
· ${sysconfdir}/dbus-1/s*.conf are now optional. By default
dbus still installs a trivial version of each, for documentation
purposes; putting configuration directives in these files is deprecated.
· ${datadir}/dbus-1/s*.d/ are now available for third-party software
to install "drop-in" configuration snippets (any packages
using those directories should explicitly depend on at least this
version of dbus).
· ${sysconfdir}/dbus-1/s*.d/ are also still available for sysadmins
or third-party software to install "drop-in" configuration snippets
· ${sysconfdir}/dbus-1/s*-local.conf are still available for sysadmins'
overrides
${datadir} is normally /usr/share, ${sysconfdir} is normally /etc,
and "s*" refers to either system or session as appropriate.
(fd.o #89280, Dimitri John Ledkov)
Fixes:
⢠Fix a memory leak when GetConnectionCredentials() succeeds
(fd.o #91008, Jacek Bukarewicz)
⢠Ensure that dbus-monitor does not reply to messages intended for others,
resulting in its own disconnection (fd.o #90952, Simon McVittie)
D-Bus 1.9.16 (2015-05-14)
==
The âtitanium barnsâ release.
Dependencies:
⢠Automake 1.13 is now required when compiling from git or modifying
the build system.
Security hardening:
⢠On Unix platforms, change the default configuration for the session bus
to only allow EXTERNAL authentication (secure kernel-mediated
credentials-passing), as was already done for the system bus.
This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
unpredictable pseudo-random numbers.
If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport,
in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using
NFS or similar, you will need to reconfigure the session bus to accept
DBUS_COOKIE_SHA1 by commenting out the <auth> element. This configuration
is not recommended.
(fd.o #90414, Simon McVittie)
⢠When asked for random numbers for DBUS_COOKIE_SHA1, the nonce-tcp:
transport, UUIDs or any other reason, fail if we cannot obtain entropy
(from /dev/urandom or CryptGenRandom()) or an out-of-memory condition
occurs, instead of silently falling back to low-entropy pseudorandom
numbers from rand(). (fd.o #90414; Simon McVittie, Ralf Habacker)
Enhancements:
⢠Add dbus_message_iter_get_element_count()
(fd.o #30350; Christian Dywan, Simon McVittie)
⢠Introduce new internal DBusSocket and DBusPollable types so we can
stop treating the Windows SOCKET type as if it was int. DBusSocket
is specifically a socket, cross-platform. DBusPollable is whatever
_dbus_poll() can act on, i.e. a fd on Unix or a SOCKET on Windows.
(fd.o #89444; Ralf Habacker, Simon McVittie)
⢠All regression tests now output TAP <https://testanything.org/>
(fd.o #89846, Simon McVittie)
⢠Internal APIs consistently use signed values for timestamps
(fd.o #18494, Peter McCurdy)
⢠Improve diagnostics when UpdateActivationEnvironment calls are rejected
(fd.o #88812, Simon McVittie)
⢠Clean up a lot of compiler warnings
(fd.o #17289, fd.o #89284; Ralf Habacker, Simon McVittie)
Fixes:
⢠Add locking to DBusCounter's reference count and notify function
(fd.o #89297, Adrian Szyndela)
⢠Ensure that DBusTransport's reference count is protected by the
corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela)
⢠Correctly release DBusServer mutex before early-return if we run out
of memory while copying authentication mechanisms (fd.o #90021,
Ralf Habacker)
⢠Make dbus-test-tool and dbus-update-activation-environment portable
to Windows (fd.o #90089, Ralf Habacker)
⢠Correctly initialize all fields of DBusTypeReader (fd.o #90021;
Ralf Habacker, Simon McVittie)
⢠Fix some missing \n in verbose (debug log) messages (fd.o #90004,
Ralf Habacker)
⢠Clean up some memory and fd leaks in test code and tools
(fd.o #90021, Ralf Habacker)
⢠Fix a NULL dereference if the dbus-daemon cannot read a configuration
directory for a reason that is not ENOENT (fd.o #90021, Ralf Habacker)
⢠CMake generates a versioned shared library even if the revision is 0,
as it usually is on the development branch. (fd.o #89450, Ralf Habacker)
D-Bus 1.9.14 (2015-03-02)
==
The âdon't stand in the poison cloudâ release.
Dependencies:
⢠dbus-daemon and dbus-daemon-launch-helper now require libdbus. They
were previously linked to a static version of libdbus.
⢠The tests no longer require dbus-glib in order to exercise the libdbus
shared library; they are always linked to libdbus now.
Build-time configuration:
⢠The new --enable-user-session option, off by default, can be enabled
by OS integrators intending to use systemd to provide a session bus
per user (in effect, treating all concurrent graphical and non-graphical
login sessions as one large session)
Enhancements:
⢠All executables are now linked dynamically to libdbus.
(fd.o #83115; Bertrand SIMONNET, Simon McVittie, Ralf Habacker)
⢠On platforms that support them (GNU libc and possibly others),
libdbus now has versioned symbols for its public API.
All public symbols (visible in the header files) are currently
versioned as LIBDBUS_1_3; private symbols starting with _dbus or
dbus_internal have a version that changes with each release, and
must not be used by applications. (also fd.o #83115)
⢠New listenable address mode "unix:runtime=yes" which listens on
a real filesystem (non-abstract) socket $XDG_RUNTIME_DIR/bus
(fd.o #61303; Colin Walters, Alexander Larsson, Simon McVittie)
⢠Add optional systemd units for a per-user bus listening on
$XDG_RUNTIME_DIR/bus (fd.o #61301; Simon McVittie, Colin Walters)
⢠On Unix platforms, both libdbus and "dbus-launch --autolaunch"
default to connecting to $XDG_RUNTIME_DIR/bus if it is a socket
(also fd.o #61301)
⢠New dbus-update-activation-environment tool uploads environment
variables to "dbus-daemon --session" and optionally "systemd \
--user",
primarily as a way to keep the per-user bus compatible with
distributions' existing X11 login scripts (also fd.o #61301)
⢠<includedir/> elements in dbus-daemon configuration are now silently
ignored if the directory does not exist. (fd.o #89280, Dimitri John Ledkov)
⢠Add microsecond-resolution timestamps to the default output of
dbus-monitor and dbus-send (fd.o #88896; Ralf Habacker, Simon McVittie)
Fixes:
⢠Fix a race condition in the 'monitor' test introduced in 1.9.10
(fd.o #89222, Simon McVittie)
D-Bus 1.9.12 (2015-02-19)
==
The âmonster lasagnaâ release.
Dependencies:
⢠Ducktype and yelp-tools are now required to build complete documentation
(they are optional for normal builds).
Enhancements:
⢠D-Bus Specification version 0.26
· GetConnectionCredentials can return LinuxSecurityLabel or WindowsSID
· document the BecomeMonitor method
⢠On Linux, add LinuxSecurityLabel to GetConnectionCredentials
(fd.o #89041; Tyler Hicks, Simon McVittie)
⢠On Linux, add support for AppArmor mediation of message sending and
receiving and name ownership (paralleling existing SELinux mediation
support), and eavesdropping (a new check, currently AppArmor-specific)
(fd.o #75113; John Johansen, Tyler Hicks, Simon McVittie)
⢠In dbus-send and dbus-monitor, pretty-print \0-terminated bytestrings
that have printable ASCII contents; we previously only did this for
unterminated bytestrings (fd.o #89109, Simon McVittie)
⢠Add a guide to designing good D-Bus APIs (fd.o #88994, Philip Withnall)
⢠On Windows, add WindowsSID to GetConnectionCredentials
(fd.o #54445, Ralf Habacker)
⢠Improve clarity of dbus-monitor --profile output and add more columns
(fd.o #89165, Ralf Habacker)
⢠Add a man page for dbus-test-tool, and build it under CMake as well
as Autotools (fd.o#89086, Simon McVittie)
⢠If dbus-daemon was compiled with --enable-verbose, add a D-Bus API
to control it at runtime, overriding the DBUS_VERBOSE environment variable
(fd.o #88896, Ralf Habacker)
Fixes:
⢠Reduce the number of file descriptors used in the fd-passing test,
avoiding failure under the default Linux fd limit, and automatically
skip it if the rlimit is too small (fd.o #88998, Simon McVittie)
D-Bus 1.9.10 (2015-02-09)
==
The âsad cyborgsâ release.
Security fixes merged from 1.8.16:
⢠Do not allow non-uid-0 processes to send forged ActivationFailure
messages. On Linux systems with systemd activation, this would
allow a local denial of service: unprivileged processes could
flood the bus with these forged messages, winning the race with
the actual service activation and causing an error reply
to be sent back when service auto-activation was requested.
This does not prevent the real service from being started,
so the attack only works while the real service is not running.
(CVE-2015-0245, fd.o #88811; Simon McVittie)
Enhancements:
⢠The new Monitoring interface in the dbus-daemon lets dbus-monitor and
similar tools receive messages without altering the security properties
of the system bus, by calling the new BecomeMonitor method on a
private connection. This bypasses the normal <allow> and <deny> rules
entirely, so to preserve normal message-privacy assumptions, only root
is allowed to do this on the system bus. Restricted environments,
such as Linux with LSMs, should lock down access to the Monitoring
interface. (fd.o #46787, Simon McVittie)
⢠dbus-monitor uses BecomeMonitor to capture more traffic, if the
dbus-daemon supports it and access permissions allow it.
It still supports the previous approach ("eavesdropping" match rules)
for compatibility with older bus daemons. (fd.o #46787, Simon)
⢠dbus-monitor can now log the message stream as binary data for later
analysis, with either no extra framing beyond the normal D-Bus headers,
or libpcap-compatible framing treating each D-Bus message
as a captured packet. (fd.o #46787, Simon)
Other fixes:
⢠Fix some CMake build regressions (fd.o #88964, Ralf Habacker)
⢠On Unix, forcibly terminate regression tests after 60 seconds to
prevent them from blocking continuous integration frameworks
(fd.o #46787, Simon)
D-Bus 1.9.8 (2015-02-03)
==
The âall the types of precipitationâ release.
Dependencies:
⢠full test coverage now requires GLib 2.36
⢠full test coverage now requires PyGI (PyGObject 3,
"import gi.repository.GObject") instead of the
obsolete PyGObject 2 ("import gobject")
Enhancements:
⢠add GLib-style "installed tests" (fd.o #88810, Simon McVittie)
⢠better regression test coverage, including systemd activation
(fd.o #57952, #88810; Simon McVittie)
Fixes:
⢠fatal errors correctly make the dbus-daemon exit even if <syslog/> is
turned off (fd.o #88808, Simon McVittie)
⢠TCP sockets on Windows no longer fail to listen approximately 1 time
in 256, caused by a logic error that should have always made it fail but
was mitigated by incorrect endianness for the port number
(fd.o #87999, Ralf Habacker)
⢠fix some Windows build failures (fd.o #88009, #88010; Ralf Habacker)
⢠on Windows, allow up to 8K connections to the dbus-daemon instead of the
previous 64, completing a previous fix which only worked under
Autotools (fd.o #71297, Ralf Habacker)
⢠on Windows, if the IP family is unspecified only use IPv4,
to mitigate IPv6 not working correctly (fd.o #87999, Ralf Habacker)
⢠fix some unlikely memory leaks on OOM (fd.o #88087, Simon McVittie)
⢠lcov code coverage analysis works again (fd.o #88808, Simon McVittie)
⢠fix an unused function error with --disable-embedded-tests (fd.o #87837,
Thiago Macieira)
D-Bus 1.9.6 (2015-01-05)
==
The âI do have a bread knifeâ release.
Security hardening:
⢠Do not allow calls to UpdateActivationEnvironment from uids other than
the uid of the dbus-daemon. If a system service installs unsafe
security policy rules that allow arbitrary method calls
(such as CVE-2014-8148) then this prevents memory consumption and
possible privilege escalation via UpdateActivationEnvironment.
We believe that in practice, privilege escalation here is avoided
by dbus-daemon-launch-helper sanitizing its environment; but
it seems better to be safe.
⢠Do not allow calls to UpdateActivationEnvironment or the Stats interface
on object paths other than /org/freedesktop/DBus. Some system services
install unsafe security policy rules that allow arbitrary method calls
to any destination, method and interface with a specified object path;
while less bad than allowing arbitrary method calls, these security
policies are still harmful, since dbus-daemon normally offers the
same API on all object paths and other system services might behave
similarly.
Other fixes:
⢠Add missing initialization so GetExtendedTcpTable doesn't crash on
Windows Vista SP0 (fd.o #77008, ÐлÑÑ Ð. \
ТкаÑенко)
D-Bus 1.9.4 (2014-11-24)
==
The âextra-sturdy caramelâ release.
Fixes:
⢠Partially revert the CVE-2014-3639 patch by increasing the default
authentication timeout on the system bus from 5 seconds back to 30
seconds, since this has been reported to cause boot regressions for
some users, mostly with parallel boot (systemd) on slower hardware.
On fast systems where local users are considered particularly hostile,
administrators can return to the 5 second timeout (or any other value
in milliseconds) by saving this as /etc/dbus-1/system-local.conf:
<busconfig>
<limit name="auth_timeout">5000</limit>
</busconfig>
(fd.o #86431, Simon McVittie)
⢠Add a message in syslog/the Journal when the auth_timeout is exceeded
(fd.o #86431, Simon McVittie)
⢠Send back an AccessDenied error if the addressed recipient is not allowed
to receive a message (and in builds with assertions enabled, don't
assert under the same conditions). (fd.o #86194, Jacek Bukarewicz)
D-Bus 1.9.2 (2014-11-10)
==
The âstructurally unsound flapjackâ release.
Security fixes:
⢠Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536
so that CVE-2014-3636 part A cannot exhaust the system bus'
file descriptors, completing the incomplete fix in 1.8.8.
(CVE-2014-7824, fd.o #85105; Simon McVittie, Alban Crequy)
Enhancements:
⢠D-Bus Specification version 0.25
· new value 'const' for EmitsChangedSignal annotation
(fd.o #72958, Lennart Poettering)
· new ALLOW_INTERACTIVE_AUTHORIZATION flag, for PolicyKit and similar
(fd.o #83449; Lennart Poettering, Simon McVittie)
· annotate table of types with reserved/basic/container, and for
basic types, fixed/string-like
· clarify arbitrary limits by quoting them in mebibytes
⢠New API: add accessors for the ALLOW_INTERACTIVE_AUTHORIZATION flag
(fd.o #83449, Simon McVittie)
⢠Add dbus-test-tool, a D-Bus swiss army knife with multiple subcommands,
useful for debugging and performance testing:
· dbus-test-tool spam: send repeated messages
· dbus-test-tool echo: send an empty reply for all method calls
· dbus-test-tool black-hole: do not reply to method calls
(fd.o #34140; Alban Crequy, Simon McVittie, Will Thompson)
⢠Add support for process ID in credentials-passing on NetBSD
(fd.o #69702, Patrick Welche)
⢠Add an example script to find potentially undesired match rules
(fd.o #84598, Alban Crequy)
⢠Document the central assumption that makes our use of credentials-passing
secure (fd.o #83499, Simon McVittie)
⢠Replace the dbus-glib section of the tutorial with a GDBus recommendation,
and add some links to GDBus and QtDBus documentation (fd.o #25140,
Simon McVittie)
Fixes:
⢠Use a less confusing NoReply message when disconnected with a reply pending
(fd.o #76112, Simon McVittie)
⢠Make the .pc file relocatable by letting pkg-config do all variable
expansion itself (fd.o #75858, Ð ÑÑлан \
ÐжбÑлаÑов)
⢠Fix a build failure on platforms with kqueue, which regressed in 1.9.0
(fd.o #85563, Patrick Welche)
⢠Consistently save errno after socket calls (fd.o #83625, Simon McVittie)
⢠In dbus-spawn, when the grandchild process exits due to a failed exec(),
do not lose the exec() errno (fd.o #24821, Simon McVittie)
⢠Do not fail the tests if a parent process has leaked non-close-on-exec
file descriptors to us (fd.o #73689, fd.o #83899; Simon McVittie)
⢠Do not fail the tests on Unix platforms with incomplete
credentials-passing support, but do fail if we can't pass credentials
on a platform where it is known to work: Linux, FreeBSD, OpenBSD, NetBSD
(fd.o #69702, Simon McVittie)
⢠Detect accept4, dirfd, inotify_init1, pipe2, and Unix fd passing
when building with cmake, and expand test coverage there
(fd.o #73689; Ralf Habacker, Simon McVittie)
D-Bus 1.9.0 (2014-10-01)
==
The âtiered cheesesâ release.
Requirements:
⢠Support for the systemd: (LISTEN_FDS) pseudo-transport on Linux now
requires either the libsystemd or libsd-daemon shared library, dropping the
embedded convenience copy of sd-daemon (fd.o #71818, Simon)
Build-time configuration changes:
⢠The Stats interface is now enabled by default, and locked-down to
root-only on the system bus. Configure with --disable-stats
to disable it altogether on memory- or disk-constrained systems,
or see ${docdir}/examples/ to open it up to non-root users on the
system bus or restrict access on the session bus.
(fd.o #80759; Simon McVittie, Alban Crequy)
⢠The CMake build system now builds the same shared library name as Autotools
on at least Linux and Windows:
- on Linux (and perhaps other Unix platforms), it previously built
libdbus-1.so, but now builds libdbus-1.so.3.* with development
symlink libdbus-1.so and SONAME/symlink libdbus-1.so.3
- on Windows, it previously built either libdbus-1.dll (release) or
libdbus-1d.dll (debug), but now builds libdbus-1-3.dll, copied to
libdbus-1.dll for compatibility with older applications.
(fd.o #74117, Ralf Habacker)
Enhancements:
⢠D-Bus Specification version 0.24
· document how to quote match rules (fd.o #24307, Simon McVittie)
· explicitly say that most message types never expect a reply
regardles of whether they have NO_REPLY_EXPECTED
(fd.o #75749, Simon McVittie)
⢠on Unix platforms, disable Nagle's algorithm on TCP connections to improve
initial latency (fd.o #75544, Matt Hoosier)
⢠use backtrace() if it is in -lexecinfo instead of libc, as on NetBSD
(fd.o #69702, Patrick Welche)
⢠in dbus-monitor, print more information about file descriptors
(fd.o #80603, Alban Crequy)
⢠do not install system bus configuration if built for Windows
(fd.o #83583; Ralf Habacker, Simon McVittie)
⢠Add GetAllMatchRules to the Stats interface (fd.o #24307, Alban Crequy)
⢠Add a regression test for file descriptor passing (fd.o #83622,
Simon McVittie)
Fixes:
⢠fix an incorrect error message if a Unix socket path is too long
(fd.o #73887, Antoine Jacoutot)
⢠in an MSYS/Cygwin environment, pass Unix-style filenames to xmlto,
fixing documentation generation (fd.o #75860, Ð ÑÑлан \
ÐжбÑлаÑов)
⢠in Unix with X11, avoid giving dbus-launch a misleading argv[0]
in ps(1) (fd.o #69716, Chengwei Yang)
⢠avoid calling poll() with timeout < -1, which is considered invalid
on FreeBSD and NetBSD (fd.o #78480, Jaap Boender)
⢠be portable to BSD-derived platforms where O_CLOEXEC is unavailable in libc
(like Mac OS X 10.6), or available in libc but unsupported by the kernel
(fd.o #77032; rmvsxop, OBATA Akio, Patrick Welche)
⢠Fix include path for test/internal/*.c with cmake (Ralf Habacker)
⢠Documentation improvements
(fd.o #80795, #84313; Thomas Haller, Sebastian Rasmussen)
⢠in dbus-monitor, do not leak file descriptors that we have monitored
(fd.o #80603, Alban Crequy)
⢠Set the close-on-exec flag for the inotify file descriptor, even
if built with CMake or older libc (fd.o #73689, Simon McVittie)
⢠Remove some LGPL code from the Windows dbus-daemon
(fd.o #57272, Ralf Habacker)
|