Summary: | <sys-apps/dbus-1.8.10: denial of service via incomplete fix for CVE-2014-3636 (CVE-2014-7824) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | freedesktop-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/11/10/2 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-11-11 09:14:35 UTC
1.8.10 in tree with http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=4e466446d27f1a3991c22307a47a81c9e93e530d as only change over 1.8.8, looks like the commit we want for this bug please test and stabilize: =sys-apps/dbus-1.8.10 Stable for HPPA. amd64 stable x86 stable arm stable Stable on alpha. ia64 stable ppc64 stable sparc stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Added to existing glsa draft. This issue was resolved and addressed in GLSA 201412-12 at http://security.gentoo.org/glsa/glsa-201412-12.xml by GLSA coordinator Mikle Kolyada (Zlogene). CVE-2014-7824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7824): D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1. |