Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 40ff73327d60
Choose a base ref
...
head repository: NixOS/nixpkgs
compare: 6d7cdd7f8b5b
Choose a head ref
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on Jun 15, 2019

  1. dbus: 1.12.14 -> 1.12.16 

    https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS

It's short and explains the CVE a bit, including below:

> CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
> authentication for identities that differ from the user running the
> DBusServer. Previously, a local attacker could manipulate symbolic
> links in their own home directory to bypass authentication and connect
> to a DBusServer with elevated privileges. The standard system and
> session dbus-daemons in their default configuration were immune to this
> attack because they did not allow DBUS_COOKIE_SHA1, but third-party
> users of DBusServer such as Upstart could be vulnerable.   Thanks to Joe
> Vennix of Apple Information Security.   (dbus#269, Simon McVittie)
    @dtzWill @FRidh
    dtzWill authored and FRidh committed Jun 15, 2019
    Copy the full SHA
    6d7cdd7 View commit details
    Browse the repository at this point in the history