Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2015-0405)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2015.0405

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2015-0405)

Zusammenfassung: The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory.

Vulnerability Insight:
Updated dbus packages provides security hardening and fixes some bugs

Security hardening:

On Unix platforms, change the default configuration for the session bus
to only allow EXTERNAL authentication (secure kernel-mediated
credentials-passing), as was already done for the system bus.

This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
unpredictable pseudo-random numbers, under certain circumstances
(/dev/urandom unreadable or malloc() returns NULL), dbus could
fall back to using rand(), which does not have the desired
unpredictability. The fallback to rand() has not been changed in this
stable-branch since the necessary code changes for correct error-handling
are rather intrusive.

If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp:
transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home
directory using NFS or similar, you will need to reconfigure the session
bus to accept DBUS_COOKIE_SHA1 by commenting out the element. This
configuration is not recommended.

Other fixes:

Fix a memory leak when GetConnectionCredentials() succeeds
(fd.o #91008, Jacek Bukarewicz)

Ensure that dbus-monitor does not reply to messages intended for others
(fd.o #90952, Simon McVittie)

Add locking to DBusCounter's reference count and notify function
(fd.o #89297, Adrian Szyndela)

Ensure that DBusTransport's reference count is protected by the
corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela)

Correctly release DBusServer mutex before early-return if we run out
of memory while copying authentication mechanisms (fd.o #90021,
Ralf Habacker)

Correctly initialize all fields of DBusTypeReader (fd.o #90021,
Ralf Habacker, Simon McVittie)

Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker)

Affected Software/OS:
'dbus' package(s) on Mageia 5.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2015.0405
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2015-0405)
Zusammenfassung:	The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory. Vulnerability Insight: Updated dbus packages provides security hardening and fixes some bugs Security hardening: On Unix platforms, change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus. This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly unpredictable pseudo-random numbers, under certain circumstances (/dev/urandom unreadable or malloc() returns NULL), dbus could fall back to using rand(), which does not have the desired unpredictability. The fallback to rand() has not been changed in this stable-branch since the necessary code changes for correct error-handling are rather intrusive. If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using NFS or similar, you will need to reconfigure the session bus to accept DBUS_COOKIE_SHA1 by commenting out the element. This configuration is not recommended. Other fixes: Fix a memory leak when GetConnectionCredentials() succeeds (fd.o #91008, Jacek Bukarewicz) Ensure that dbus-monitor does not reply to messages intended for others (fd.o #90952, Simon McVittie) Add locking to DBusCounter's reference count and notify function (fd.o #89297, Adrian Szyndela) Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela) Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fd.o #90021, Ralf Habacker) Correctly initialize all fields of DBusTypeReader (fd.o #90021, Ralf Habacker, Simon McVittie) Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker) Affected Software/OS: 'dbus' package(s) on Mageia 5. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2022 Greenbone AG