DSA-4462-1 dbus -- dbusID: oval:org.secpod.oval:def:603942 | Date: (C)2019-06-18 (M)2023-12-20 |
Class: PATCH | Family: unix |
Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability. The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.
Product: |
dbus |
libdbus-1-3 |
libdbus-1-dev |