Operating System:

[RedHat]

Published:

06 November 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4123
                           dbus security update
                              6 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dbus
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 8
                   Red Hat Enterprise Linux WS/Desktop 8
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12749  

Reference:         ESB-2019.4041
                   ESB-2019.3586
                   ESB-2019.3313
                   ESB-2019.2549
                   ESB-2019.2416
                   ESB-2019.2107.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:3707

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: dbus security update
Advisory ID:       RHSA-2019:3707-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3707
Issue date:        2019-11-05
CVE Names:         CVE-2019-12749 
=====================================================================

1. Summary:

An update for dbus is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

D-Bus is a system for sending messages between applications. It is used
both for the system-wide message bus service, and as a
per-user-login-session messaging facility.

Security Fix(es):

* dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all running instances of dbus-daemon and all
running applications using the libdbus library must be restarted, or the
system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

1719344 - CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:
dbus-daemon-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-debugsource-1.12.8-9.el8.aarch64.rpm
dbus-devel-1.12.8-9.el8.aarch64.rpm
dbus-libs-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-tests-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-tools-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-x11-1.12.8-9.el8.aarch64.rpm
dbus-x11-debuginfo-1.12.8-9.el8.aarch64.rpm

ppc64le:
dbus-daemon-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-debugsource-1.12.8-9.el8.ppc64le.rpm
dbus-devel-1.12.8-9.el8.ppc64le.rpm
dbus-libs-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-tests-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-tools-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-x11-1.12.8-9.el8.ppc64le.rpm
dbus-x11-debuginfo-1.12.8-9.el8.ppc64le.rpm

s390x:
dbus-daemon-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-debugsource-1.12.8-9.el8.s390x.rpm
dbus-devel-1.12.8-9.el8.s390x.rpm
dbus-libs-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-tests-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-tools-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-x11-1.12.8-9.el8.s390x.rpm
dbus-x11-debuginfo-1.12.8-9.el8.s390x.rpm

x86_64:
dbus-daemon-debuginfo-1.12.8-9.el8.i686.rpm
dbus-daemon-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-debuginfo-1.12.8-9.el8.i686.rpm
dbus-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-debugsource-1.12.8-9.el8.i686.rpm
dbus-debugsource-1.12.8-9.el8.x86_64.rpm
dbus-devel-1.12.8-9.el8.i686.rpm
dbus-devel-1.12.8-9.el8.x86_64.rpm
dbus-libs-debuginfo-1.12.8-9.el8.i686.rpm
dbus-libs-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-tests-debuginfo-1.12.8-9.el8.i686.rpm
dbus-tests-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-tools-debuginfo-1.12.8-9.el8.i686.rpm
dbus-tools-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-x11-1.12.8-9.el8.x86_64.rpm
dbus-x11-debuginfo-1.12.8-9.el8.i686.rpm
dbus-x11-debuginfo-1.12.8-9.el8.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
dbus-1.12.8-9.el8.src.rpm

aarch64:
dbus-1.12.8-9.el8.aarch64.rpm
dbus-daemon-1.12.8-9.el8.aarch64.rpm
dbus-daemon-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-debugsource-1.12.8-9.el8.aarch64.rpm
dbus-libs-1.12.8-9.el8.aarch64.rpm
dbus-libs-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-tests-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-tools-1.12.8-9.el8.aarch64.rpm
dbus-tools-debuginfo-1.12.8-9.el8.aarch64.rpm
dbus-x11-debuginfo-1.12.8-9.el8.aarch64.rpm

noarch:
dbus-common-1.12.8-9.el8.noarch.rpm

ppc64le:
dbus-1.12.8-9.el8.ppc64le.rpm
dbus-daemon-1.12.8-9.el8.ppc64le.rpm
dbus-daemon-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-debugsource-1.12.8-9.el8.ppc64le.rpm
dbus-libs-1.12.8-9.el8.ppc64le.rpm
dbus-libs-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-tests-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-tools-1.12.8-9.el8.ppc64le.rpm
dbus-tools-debuginfo-1.12.8-9.el8.ppc64le.rpm
dbus-x11-debuginfo-1.12.8-9.el8.ppc64le.rpm

s390x:
dbus-1.12.8-9.el8.s390x.rpm
dbus-daemon-1.12.8-9.el8.s390x.rpm
dbus-daemon-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-debugsource-1.12.8-9.el8.s390x.rpm
dbus-libs-1.12.8-9.el8.s390x.rpm
dbus-libs-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-tests-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-tools-1.12.8-9.el8.s390x.rpm
dbus-tools-debuginfo-1.12.8-9.el8.s390x.rpm
dbus-x11-debuginfo-1.12.8-9.el8.s390x.rpm

x86_64:
dbus-1.12.8-9.el8.x86_64.rpm
dbus-daemon-1.12.8-9.el8.x86_64.rpm
dbus-daemon-debuginfo-1.12.8-9.el8.i686.rpm
dbus-daemon-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-debuginfo-1.12.8-9.el8.i686.rpm
dbus-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-debugsource-1.12.8-9.el8.i686.rpm
dbus-debugsource-1.12.8-9.el8.x86_64.rpm
dbus-libs-1.12.8-9.el8.i686.rpm
dbus-libs-1.12.8-9.el8.x86_64.rpm
dbus-libs-debuginfo-1.12.8-9.el8.i686.rpm
dbus-libs-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-tests-debuginfo-1.12.8-9.el8.i686.rpm
dbus-tests-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-tools-1.12.8-9.el8.x86_64.rpm
dbus-tools-debuginfo-1.12.8-9.el8.i686.rpm
dbus-tools-debuginfo-1.12.8-9.el8.x86_64.rpm
dbus-x11-debuginfo-1.12.8-9.el8.i686.rpm
dbus-x11-debuginfo-1.12.8-9.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXcHzDdzjgjWX9erEAQhMTA/+KZqSgVDz1CJJaInF7lGQnPRYVj0dTkwW
Fhe5J4kVeYRGdPznBMAyykTIxagw2sLmz3aGpkhPfWXaA/vf9o1f3kOOHBeeko79
UXTYYqUJr2TfLXUwaBVEi3AMSnjNJLjt0MRn7r9jp0pnFrcgxD3VlfWUTwEMrRVo
UyRJPbP8nTHVb456IKsxP65R/tVsbkeAkCYJr00fVQvFLVE2GDbSTnYE2gf4H9K/
uXYF/xEBScemKdM3yAJULAK2zDjLh/sk8wtD6+Esp7XFpL9aarHDer6mnNun7on9
Il/4uszxJ8t2SKvnUXIVZyX6/1ujVpGUk+zuSHX7djSwO4g64e7knqnB1yydEdLE
r7CxggbBanT5Twf/dKTirVZbcflbek9FX07RxHkLzud1Dg1JgAGqxt/WekHUgrfx
6QstEeLslacsM+6qrd7CzzQtI14vaVkJCHb/7aPDM4gIka5an9A+9ykPC8S1taGL
dettGCVeDrFFDKcUtM5d3hzcU8eo3660Rq+N11lfCXahzYnqeL8swNkboaong3Fi
F93cXCxSCcdPEiz6qISI3nzpDwREVsmwaCLLPloFDgqSN2Ob3kRcRQ+iRioopbcz
6dsACKdHxIyUpgrlr9m3jjyPnm9B7OK2CotqaHg+zTP9nDWI+mvxzq1p5tsqILyS
07yv3b3IPRM=
=yup0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcI5TmaOgq3Tt24GAQikdBAAk5XhGrf8UOxhwkCEO+W4rmMJ1noFb8fK
JiCrWUfoY7f9/6fQpN1luicZaiN6ekI9dyGP0XZWbzw/dycEFTFtZwzinoN0Y2Zc
WGYaae3X0x746BLfzPlsmBNefnQEx6LWORXBtzuNaFKLjSmZq3XG33LyouPtvdjv
mkNW0WwQGWGrBB3f+ni0SjhTsYW29HV5z/8RKlX8vt8AlMt1o8cT/YjXDBaOBpzA
IMGF2bm66Gank4zbhsWKy2eV9mONiUYngFfCLnilvTSO8aNMWNt6BgvXpH+fFnSm
9v9VKT8IISCNQqUPE/upRCz9100EzRPM3PESKhVJVxQj7U+oRqLfPHyEKHWd/M/8
55OtICwDR+sEwD1JyPViAdnv5/FdJRWtCmohVQPx0doJCKBTtFyABZ8tYpbogiro
PFxzQdico/hYp0HcLS9q/kz4FTSccfQa1kxJN+UPDDoH85ZjlQmiTmsPsE3yro9O
LK5Aozf28xa8wFPC+g/O9A15Qw4v6EB3C2lZ7lad+BE44PtddTPIcWu+Cha2ukwB
wTR6OL8PJtvO3sP5Zy2qSJ1VjNAq1b1heYdb1PDqaatkacUGD/ANR+8a3WHqY0wl
2EBvzYTZd734gVe2cSlBFgdnF/Op6vEEITIIrFF9H69KQR5Y+Agg7XH3oXfWWej6
N7VnUUWZqt8=
=oBzo
-----END PGP SIGNATURE-----