DSA-4462-1 dbus -- dbusID: oval:org.secpod.oval:def:55511 | Date: (C)2019-06-19 (M)2023-12-20 |
Class: PATCH | Family: unix |
Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability. The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.