On Mon, Aug 16, 2010 at 17:50:15 +0100, Simon McVittie wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: freeze-exception > Tags: security > > Colin Walters has released dbus-glib 0.88, with a security fix for system-bus > services that use dbus-glib (CVE 2010-1172, > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592753, Red Hat #585394, > LP #616517). > Please upload to sid. > The diffstat is somewhat intimidating, but I believe that taking all of 0.88 > is a better option for squeeze than backporting the security fix to 0.86, > because: > > - the majority of the changes are the single commit that adds the security fix > - the majority of the *other* changes are also targeted bugfixes > - the security fix adds ABI (to let system services tell dbus-glib which > properties they intended to export), so it's a mini-transition already > > The potentially-vulnerable services can be approximated as those that install > a file in /etc/dbus-1/system.d and depend on dbus-glib. Fedora people have > already checked several system-bus services; see the bug. > > After uploading the version with the security fix, system services that are > vulnerable will need rebuilding against it. The new version of > dbus-binding-tool should arrange for the right data structures to appear, > without source changes. > Can you give us the list of packages that need to be rebuilt against the new dbus-glib? Cheers, Julien
Attachment:
signature.asc
Description: Digital signature