Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1600 dbus security update 17 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dbus Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-3639 CVE-2014-3638 CVE-2014-3637 CVE-2014-3636 CVE-2014-3635 Original Bulletin: http://www.debian.org/security/2014/dsa-3026 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running dbus check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3026-1 security@debian.org http://www.debian.org/security/ Florian Weimer September 16, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : dbus CVE ID : CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 CVE-2014-3639 Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon. CVE-2014-3635 On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in the dbus-daemon crash, leading to a crash, or potentially to arbitrary code execution. CVE-2014-3636 A denial-of-service vulnerability in dbus-daemon allowed local attackers to prevent new connections to dbus-daemon, or disconnect existing clients, by exhausting descriptor limits. CVE-2014-3637 Malicious local users could create D-Bus connections to dbus-daemon which could not be terminated by killing the participating processes, resulting in a denial-of-service vulnerability. CVE-2014-3638 dbus-daemon suffered from a denial-of-service vulnerability in the code which tracks which messages expect a reply, allowing local attackers to reduce the performance of dbus-daemon. CVE-2014-3639 dbus-daemon did not properly reject malicious connections from local users, resulting in a denial-of-service vulnerability. For the stable distribution (wheezy), these problems have been fixed in version 1.6.8-1+deb7u4. For the unstable distribution (sid), these problems have been fixed in version 1.8.8-1. We recommend that you upgrade your dbus packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJUGIrzAAoJEL97/wQC1SS+bgAH/2v7suJ3q6QQ9r8dpK3wlYtC n6DrrqHvzECB0oEro51cvkHY9cl8HSYlKZoRXdbluEaHGCu+8f/IZ0aQIC2hkz1e Cqh62l4Gzo+CZRmnDk4oTi2PcqnEXkIJgOo7pEDT4C9+4c5sF+vbLkAJ+x4VoRbf eneYNgwIPGh8pyvw9VrMzTJAE81j5fZC5g6jxFfQCCOfo6IZlxKhn+d5XCElDz1f yO4oeczxOkH0oHUo0Jo6Kd2RllbTbO9F+f2PVTOPRAvr1yqEj1zRtll0kA2vXZ0p 13pcZd3F/AWYDF8O5slOPZulx8GmVDETir2Jd8bPCduv7C4DPN9x8MA2IoYV668= =Cvxc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVBjTTRLndAQH1ShLAQLMmQ/9FVgEff+hqPjUIt7hfFK8QDpbPk8193sX UFqjuh1awMjgDRMNZtL0BoRE5I07N6Hnv3Y5x80fmvSGRVmuFvmw6LJVA+RUIVPA tDdh4GtT6hjD6RcWIr0lDMD7nyd/si1PH2MqklkOunxpcmBAzmLzi4lGbOBcH825 HEh0WcA9yE1zLzIk9iL6PIZp3/IgO/us9bh5gnaKaVlNW3m/jS68Xy62wI2nER2s WX+q+sERaKi8lpA8LkCwXiAvHg2RoiiKmBTqFm2gRhuyKOPYVV6fxFtg2sHNsTpX UsQYRFDwabMp528BfOhDz4QXcm27KY2WghpJFxO3Ek8zHdYPO+ZnZrkFvNsPW5UN GX5WaU0Jktuatf6btyONHlmWYtkZVG7sapV0L8W8IlaZX4GYsGIt9h4Zy6QlqfPO D1u8f+zcfk0YfV9a/IhDVbFwt4yTLL9jj5jtOM/UxBXbnPEMEoGSjwxz4LQWTkN0 rBzRmA+LXOUtwnLaKj2xCD6ArTwHBIgK13M/9rJukGc6JDQQOzWbdBv7Zy5XvXeC qAxFRe2wxiG+GgpR6pvL1+NrzLdBM21wWpS5iw1u6n6HKXIbEje/nIWHUSEZgskM LihD9o2zrVbEzKz6lBjBKPUfWgzROw+qGv4er9Wss4AXlTgNsGjkfFLi2JQrApNm Hwr2A3pk91M= =x/A6 -----END PGP SIGNATURE-----