Commit 38fe525f authored by Simon McVittie's avatar Simon McVittie
Browse files

Update NEWS

Signed-off-by: Simon McVittie's avatarSimon McVittie <>
parent dc94fe3d
...@@ -13,7 +13,26 @@ the dbus-security mailing list on ...@@ -13,7 +13,26 @@ the dbus-security mailing list on
dbus 1.10.32 (UNRELEASED) dbus 1.10.32 (UNRELEASED)
== ==
... The “technically a venom” release.
Maybe security fixes:
• On Unix, avoid a use-after-free if two usernames have the same
numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used.
Like Unix filesystems, D-Bus' model of identity cannot distinguish
between users of different names with the same numeric uid, so this
configuration is not advisable on systems where D-Bus will be used.
Thanks to Daniel Onaca.
(dbus#305, dbus!166; Simon McVittie)
Other fixes:
• On Solaris and its derivatives, if a cmsg header is truncated, ensure
that we do not overrun the buffer used for fd-passing, even if the
kernel tells us to.
(dbus#304, dbus!165; Andy Fiddaman)
dbus 1.10.30 (2020-06-02) dbus 1.10.30 (2020-06-02)
== ==
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment