Commit 8116f98b authored by Simon McVittie's avatar Simon McVittie

Update NEWS for 1.8.x

Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
parent ca04b6b2
D-Bus 1.8.24 (UNRELEASED)
==
The fixes in this release are arguably security fixes, but if they
affect you, please take this opportunity to rethink how you are
configuring dbus.
Fixes:
• Prevent symlink attacks in the nonce-tcp transport on Unix that could
allow an attacker to overwrite a file named "nonce", in a directory
that the user running dbus-daemon can write, with a random value
known only to the user running dbus-daemon. This is unlikely to be
exploitable in practice, particularly since the nonce-tcp transport
is really only useful on Windows.
On Unix systems we strongly recommend using only the unix: and systemd:
transports, together with EXTERNAL authentication. These are the only
transports and authentication mechanisms enabled by default.
(fd.o #99828, Simon McVittie)
• Avoid symlink attacks in the "embedded tests", which are not enabled
by default and should never be enabled in production builds of dbus.
(fd.o #99828, Simon McVittie)
D-Bus 1.8.22 (2016-10-10)
==
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment