Release Info

Advisory: CLSA-2022:1669241224

OS: Ubuntu 16.04 ELS

Public date: 2022-11-23

Project: dbus

Version: 1.10.6-1ubuntu3.6+tuxcare.els1

Errata link: https://errata.cloudlinux.com/ubuntu16-els/CLSA-2022-1669241224.html

Changelog

* SECURITY UPDATE: Use-after-free in access control-related hash tables - debian/patches/CVE-2020-35512.patch: use reference counting for DBusUserInfo and DBusGroupInfo structures. - CVE-2020-35512 * SECURITY UPDATE: Crash or incorrect parsing a signature with wrongly nested '()' and '{}' - debian/patches/CVE-2022-42010.patch: add extra checking for brackets. - CVE-2022-42010 * SECURITY UPDATE: Out-of-bounds accesses during processing of arrays made up of an integer number of items - debian/patches/CVE-2022-42011.patch: validate length of arrays of fixed-length items. - CVE-2022-42011 * SECURITY UPDATE: Crash when message type and the pointer into its contents goes out of sync - debian/patches/CVE-2022-42012.patch: byte-swap Unix fd indexes if needed. - CVE-2022-42012

Update

Update command: apt-get update apt-get --only-upgrade install dbus*

Packages list

dbus_1.10.6-1ubuntu3.6+tuxcare.els1_amd64.deb dbus-1-doc_1.10.6-1ubuntu3.6+tuxcare.els1_all.deb dbus-tests_1.10.6-1ubuntu3.6+tuxcare.els1_amd64.deb dbus-user-session_1.10.6-1ubuntu3.6+tuxcare.els1_all.deb dbus-x11_1.10.6-1ubuntu3.6+tuxcare.els1_amd64.deb libdbus-1-3_1.10.6-1ubuntu3.6+tuxcare.els1_amd64.deb libdbus-1-dev_1.10.6-1ubuntu3.6+tuxcare.els1_amd64.deb

CVEs

CVE-2020-35512
CVE-2022-42011
CVE-2022-42010
CVE-2022-42012