CVE-2019-12749 : Debian has Released Security Update for dbus

Debian has released security update for dbus package.

This release fixes vulnerability against zookeeper package.

Date Reported: 11-June-2019

Fix Released On: 13-June-2019

Severity Level: Low

Affected Packages: dbus

Affected Operating System & Version:

  • Debian 8 (Jessie)
  • Debian 9 (Stretch)

Details:

Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system.

The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack.

A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges.

The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability.

The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.

It’s recommended to update the zookeeper package ASAP.

For more details about the security issues, and other related information, refer to the CVE pages.

Debian Security Advisory References:

Security Database References (CVE):

Solution:

  • These issue have been fixed on Debian 9 (Stretch) in version 1.10.28-0+deb9u1.
  • These issue have been fixed on Debian 8 (Jessie) in version 1.8.22-0+deb8u2.

Run the following command to install the above updates.

$ sudo apt install --only-upgrade dbus
or
$ sudo apt install unattended-upgrades

The installed security fixes can be verified in the package change log using the following methods.

Using manual method.

$ zgrep -i "CVE-2019-12749" /usr/share/doc/dbus/changelog.Debian.gz

Using debsecan command.

$ debsecan | grep CVE-2019-12749

Leave a Reply

Your email address will not be published. Required fields are marked *