Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2015-0405)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.10.2015.0405

Category: Mageia Linux Local Security Checks

Title: Mageia: Security Advisory (MGASA-2015-0405)

Summary: The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory.

Description: Summary:
The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory.

Vulnerability Insight:
Updated dbus packages provides security hardening and fixes some bugs

Security hardening:

On Unix platforms, change the default configuration for the session bus
to only allow EXTERNAL authentication (secure kernel-mediated
credentials-passing), as was already done for the system bus.

This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly
unpredictable pseudo-random numbers, under certain circumstances
(/dev/urandom unreadable or malloc() returns NULL), dbus could
fall back to using rand(), which does not have the desired
unpredictability. The fallback to rand() has not been changed in this
stable-branch since the necessary code changes for correct error-handling
are rather intrusive.

If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp:
transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home
directory using NFS or similar, you will need to reconfigure the session
bus to accept DBUS_COOKIE_SHA1 by commenting out the element. This
configuration is not recommended.

Other fixes:

Fix a memory leak when GetConnectionCredentials() succeeds
(fd.o #91008, Jacek Bukarewicz)

Ensure that dbus-monitor does not reply to messages intended for others
(fd.o #90952, Simon McVittie)

Add locking to DBusCounter's reference count and notify function
(fd.o #89297, Adrian Szyndela)

Ensure that DBusTransport's reference count is protected by the
corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela)

Correctly release DBusServer mutex before early-return if we run out
of memory while copying authentication mechanisms (fd.o #90021,
Ralf Habacker)

Correctly initialize all fields of DBusTypeReader (fd.o #90021,
Ralf Habacker, Simon McVittie)

Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker)

Affected Software/OS:
'dbus' package(s) on Mageia 5.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Copyright Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.10.2015.0405
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2015-0405)
Summary:	The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory.
Description:	Summary: The remote host is missing an update for the 'dbus' package(s) announced via the MGASA-2015-0405 advisory. Vulnerability Insight: Updated dbus packages provides security hardening and fixes some bugs Security hardening: On Unix platforms, change the default configuration for the session bus to only allow EXTERNAL authentication (secure kernel-mediated credentials-passing), as was already done for the system bus. This avoids falling back to DBUS_COOKIE_SHA1, which relies on strongly unpredictable pseudo-random numbers, under certain circumstances (/dev/urandom unreadable or malloc() returns NULL), dbus could fall back to using rand(), which does not have the desired unpredictability. The fallback to rand() has not been changed in this stable-branch since the necessary code changes for correct error-handling are rather intrusive. If you are using D-Bus over the (unencrypted!) tcp: or nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1 and a shared home directory using NFS or similar, you will need to reconfigure the session bus to accept DBUS_COOKIE_SHA1 by commenting out the element. This configuration is not recommended. Other fixes: Fix a memory leak when GetConnectionCredentials() succeeds (fd.o #91008, Jacek Bukarewicz) Ensure that dbus-monitor does not reply to messages intended for others (fd.o #90952, Simon McVittie) Add locking to DBusCounter's reference count and notify function (fd.o #89297, Adrian Szyndela) Ensure that DBusTransport's reference count is protected by the corresponding DBusConnection's lock (fd.o #90312, Adrian Szyndela) Correctly release DBusServer mutex before early-return if we run out of memory while copying authentication mechanisms (fd.o #90021, Ralf Habacker) Correctly initialize all fields of DBusTypeReader (fd.o #90021, Ralf Habacker, Simon McVittie) Clean up some memory leaks in test code (fd.o #90021, Ralf Habacker) Affected Software/OS: 'dbus' package(s) on Mageia 5. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2022 Greenbone AG