[SECURITY] [DLA 1818-1] dbus security update

2019-06-1411:54:42

lists.debian.org

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

34.4%

JSON

Package : dbus
Version : 1.8.22-0+deb8u2
CVE ID : CVE-2019-12749
Debian Bug : 930375

Joe Vennix discovered an authentication bypass vulnerability in dbus, an
asynchronous inter-process communication system. The implementation of
the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a
symbolic link attack. A local attacker could take advantage of this flaw
to bypass authentication and connect to a DBusServer with elevated
privileges.

For Debian 8 "Jessie", this problem has been fixed in version
1.8.22-0+deb8u2.

We recommend that you upgrade your dbus packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9alldbus< 1.10.28-0+deb9u1dbus_1.10.28-0+deb9u1_all.deb
Debian9i386dbus-1-dbg< 1.10.28-0+deb9u1dbus-1-dbg_1.10.28-0+deb9u1_i386.deb
Debian8armhfdbus-x11< 1.8.22-0+deb8u2dbus-x11_1.8.22-0+deb8u2_armhf.deb
Debian8amd64libdbus-1-3< 1.8.22-0+deb8u2libdbus-1-3_1.8.22-0+deb8u2_amd64.deb
Debian9ppc64ellibdbus-1-3-udeb< 1.10.28-0+deb9u1libdbus-1-3-udeb_1.10.28-0+deb9u1_ppc64el.deb
Debian9amd64dbus-x11< 1.10.28-0+deb9u1dbus-x11_1.10.28-0+deb9u1_amd64.deb
Debian9mipsdbus< 1.10.28-0+deb9u1dbus_1.10.28-0+deb9u1_mips.deb
Debian8i386libdbus-1-3-udeb< 1.8.22-0+deb8u2libdbus-1-3-udeb_1.8.22-0+deb8u2_i386.deb
Debian9ppc64eldbus-udeb< 1.10.28-0+deb9u1dbus-udeb_1.10.28-0+deb9u1_ppc64el.deb
Debian9mips64ellibdbus-1-3-udeb< 1.10.28-0+deb9u1libdbus-1-3-udeb_1.10.28-0+deb9u1_mips64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	dbus	< 1.10.28-0+deb9u1	dbus_1.10.28-0+deb9u1_all.deb
Debian	9	i386	dbus-1-dbg	< 1.10.28-0+deb9u1	dbus-1-dbg_1.10.28-0+deb9u1_i386.deb
Debian	8	armhf	dbus-x11	< 1.8.22-0+deb8u2	dbus-x11_1.8.22-0+deb8u2_armhf.deb
Debian	8	amd64	libdbus-1-3	< 1.8.22-0+deb8u2	libdbus-1-3_1.8.22-0+deb8u2_amd64.deb
Debian	9	ppc64el	libdbus-1-3-udeb	< 1.10.28-0+deb9u1	libdbus-1-3-udeb_1.10.28-0+deb9u1_ppc64el.deb
Debian	9	amd64	dbus-x11	< 1.10.28-0+deb9u1	dbus-x11_1.10.28-0+deb9u1_amd64.deb
Debian	9	mips	dbus	< 1.10.28-0+deb9u1	dbus_1.10.28-0+deb9u1_mips.deb
Debian	8	i386	libdbus-1-3-udeb	< 1.8.22-0+deb8u2	libdbus-1-3-udeb_1.8.22-0+deb8u2_i386.deb
Debian	9	ppc64el	dbus-udeb	< 1.10.28-0+deb9u1	dbus-udeb_1.10.28-0+deb9u1_ppc64el.deb
Debian	9	mips64el	libdbus-1-3-udeb	< 1.10.28-0+deb9u1	libdbus-1-3-udeb_1.10.28-0+deb9u1_mips64el.deb