CVE-2014-3477 fixed in dbus/1.6.8-1+deb7u2
In case the mention of the CVE ID in debian/changelog is not enough for
someone to update the security tracker: CVE-2014-3477 is fixed in
dbus/1.6.8-1+deb7u2, which was just accepted into proposed-updates.
It was also fixed in dbus/1.8.4-1 for testing/unstable.
If this change is desired in squeeze-lts (it's only a local denial of
service and there was no DSA, so perhaps not), the upstream dbus-1.2
branch on freedesktop.org has a commit with some trivial merge conflicts
(whitespace) resolved. I don't intend to upload to squeeze-lts myself.