!24 增加版本1.12.20安全回合的fixs和README详细内容
From: @xielhxie Reviewed-by: @solarhu,@licihua Signed-off-by: @solarhu,@licihua
This commit is contained in:
openeuler-ci-bot
Gitee
commit
43055c6728
26
README.en.md
Normal file
26
README.en.md
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
D-Bus
|
||||||
|
|
||||||
|
D-Bus is a message bus system, a simple way for applications to talk to one another.
|
||||||
|
In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed.
|
||||||
|
|
||||||
|
D-Bus supplies both a system daemon (for events such as "new hardware device added" or "printer queue changed") and a per-user-login-session daemon (for general IPC needs among user applications).
|
||||||
|
Also, the message bus is built on top of a general one-to-one message passing framework, which can be used by any two apps to communicate directly (without going through the message bus daemon).
|
||||||
|
Currently the communicating applications are on one computer, or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories. (Help wanted with better remote transports - the transport mechanism is well-abstracted and extensible.)
|
||||||
|
|
||||||
|
The dbus low-level API reference implementation and the D-Bus protocol have been heavily tested in the real world over several years, and are now "set in stone." Future changes will either be compatible or versioned appropriately.
|
||||||
|
|
||||||
|
The low-level libdbus reference library has no required dependencies; the reference bus daemon's only required dependency is an XML parser (expat).
|
||||||
|
Higher-level bindings specific to particular frameworks (Qt, GLib, Java, C#, Python, etc.) add more dependencies, but can make more assumptions and are thus much simpler to use.
|
||||||
|
The bindings evolve separately from the low-level libdbus, so some are more mature and ABI-stable than others; check the docs for the binding you plan to use.
|
||||||
|
|
||||||
|
There are also some reimplementations of the D-Bus protocol for languages such as C#, Java, and Ruby.
|
||||||
|
These do not use the libdbus reference implementation.
|
||||||
|
|
||||||
|
It should be noted that the low-level implementation is not primarily designed for application authors to use.
|
||||||
|
Rather, it is a basis for binding authors and a reference for reimplementations.
|
||||||
|
If you are able to do so it is recommended that you use one of the higher level bindings or implementations.
|
||||||
|
A list of these can be found on the bindings page.
|
||||||
|
|
||||||
|
The list of projects using D-Bus is growing and they provide a wealth of examples of using the various APIs to learn from.
|
||||||
|
|
||||||
|
D-Bus is very portable to any Linux or UNIX flavor, and a port to Windows is in progress.
|
||||||
80
dbus -1.12.20 Changelog
Normal file
80
dbus -1.12.20 Changelog
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
dbus 1.12.20 (2020-07-02)
|
||||||
|
=========================
|
||||||
|
|
||||||
|
The “temporary nemesis” release.
|
||||||
|
|
||||||
|
Maybe security fixes:
|
||||||
|
|
||||||
|
• On Unix, avoid a use-after-free if two usernames have the same
|
||||||
|
numeric uid. In older versions this could lead to a crash (denial of
|
||||||
|
service) or other undefined behaviour, possibly including incorrect
|
||||||
|
authorization decisions if <policy group=...> is used.
|
||||||
|
Like Unix filesystems, D-Bus' model of identity cannot distinguish
|
||||||
|
between users of different names with the same numeric uid, so this
|
||||||
|
configuration is not advisable on systems where D-Bus will be used.
|
||||||
|
Thanks to Daniel Onaca.
|
||||||
|
(dbus#305, dbus!166; Simon McVittie)
|
||||||
|
|
||||||
|
Other fixes:
|
||||||
|
|
||||||
|
• On Solaris and its derivatives, if a cmsg header is truncated, ensure
|
||||||
|
that we do not overrun the buffer used for fd-passing, even if the
|
||||||
|
kernel tells us to.
|
||||||
|
(dbus#304, dbus!165; Andy Fiddaman)
|
||||||
|
|
||||||
|
dbus 1.12.18 (2020-06-02)
|
||||||
|
=========================
|
||||||
|
|
||||||
|
The “telepathic vines” release.
|
||||||
|
|
||||||
|
Denial of service fixes:
|
||||||
|
|
||||||
|
• CVE-2020-12049: If a message contains more file descriptors than can
|
||||||
|
be sent, close those that did get through before reporting error.
|
||||||
|
Previously, a local attacker could cause the system dbus-daemon (or
|
||||||
|
another system service with its own DBusServer) to run out of file
|
||||||
|
descriptors, by repeatedly connecting to the server and sending fds that
|
||||||
|
would get leaked.
|
||||||
|
Thanks to Kevin Backhouse of GitHub Security Lab.
|
||||||
|
(dbus#294, GHSL-2020-057; Simon McVittie)
|
||||||
|
|
||||||
|
Other fixes:
|
||||||
|
|
||||||
|
• Fix a crash when the dbus-daemon is terminated while one or more
|
||||||
|
monitors are active (dbus#291, dbus!140; Simon McVittie)
|
||||||
|
|
||||||
|
• The dbus-send(1) man page now documents --bus and --peer instead of
|
||||||
|
the old --address synonym for --peer, which has been deprecated since
|
||||||
|
the introduction of --bus and --peer in 1.7.6
|
||||||
|
(fd.o #48816, dbus!115; Chris Morin)
|
||||||
|
|
||||||
|
• Fix a wrong environment variable name in dbus-daemon(1)
|
||||||
|
(dbus#275, dbus!122; Mubin, Philip Withnall)
|
||||||
|
|
||||||
|
• Fix formatting of dbus_message_append_args example
|
||||||
|
(dbus!126, Felipe Franciosi)
|
||||||
|
|
||||||
|
• Avoid a test failure on Linux when built in a container as uid 0, but
|
||||||
|
without the necessary privileges to increase resource limits
|
||||||
|
(dbus!58, Debian #908092; Simon McVittie)
|
||||||
|
|
||||||
|
• When building with CMake, cope with libX11 in a non-standard location
|
||||||
|
(dbus!129, Tuomo Rinne)
|
||||||
|
|
||||||
|
dbus 1.12.16 (2019-06-11)
|
||||||
|
=========================
|
||||||
|
|
||||||
|
The “tree cat” release.
|
||||||
|
|
||||||
|
Security fixes:
|
||||||
|
|
||||||
|
• CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
|
||||||
|
authentication for identities that differ from the user running the
|
||||||
|
DBusServer. Previously, a local attacker could manipulate symbolic
|
||||||
|
links in their own home directory to bypass authentication and connect
|
||||||
|
to a DBusServer with elevated privileges. The standard system and
|
||||||
|
session dbus-daemons in their default configuration were immune to this
|
||||||
|
attack because they did not allow DBUS_COOKIE_SHA1, but third-party
|
||||||
|
users of DBusServer such as Upstart could be vulnerable.
|
||||||
|
Thanks to Joe Vennix of Apple Information Security.
|
||||||
|
(dbus#269, Simon McVittie)
|
||||||
@ -1,7 +1,7 @@
|
|||||||
Name: dbus
|
Name: dbus
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.12.20
|
Version: 1.12.20
|
||||||
Release: 1
|
Release: 2
|
||||||
Summary: System Message Bus
|
Summary: System Message Bus
|
||||||
License: AFLv2.1 or GPLv2+
|
License: AFLv2.1 or GPLv2+
|
||||||
URL: http://www.freedesktop.org/Software/dbus/
|
URL: http://www.freedesktop.org/Software/dbus/
|
||||||
@ -215,6 +215,9 @@ make check
|
|||||||
%exclude %{_pkgdocdir}/README
|
%exclude %{_pkgdocdir}/README
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 13 2020 xielh2000 <xielh2000@163.com> - 1:1.12.20-2
|
||||||
|
- Add from 1.12.16 to 1.12.20 of changelog and README.en
|
||||||
|
|
||||||
* Wed Jul 15 2020 shenyangyang <shenyangyang4@huawei.com> - 1:1.12.20-1
|
* Wed Jul 15 2020 shenyangyang <shenyangyang4@huawei.com> - 1:1.12.20-1
|
||||||
- Upgrade to 1.12.20
|
- Upgrade to 1.12.20
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user