Debian has released security update for dbus package.
This release fixes vulnerability against zookeeper package.
Date Reported: 11-June-2019
Fix Released On: 13-June-2019
Severity Level: Low
Affected Packages: dbus
Affected Operating System & Version:
- Debian 8 (Jessie)
- Debian 9 (Stretch)
Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system.
The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack.
A local attacker could take advantage of this flaw to bypass authentication and connect to a DBusServer with elevated privileges.
The standard system and session dbus-daemons in their default configuration are not affected by this vulnerability.
The vulnerability was addressed by upgrading dbus to a new upstream version 1.10.28 which includes additional fixes.
It’s recommended to update the zookeeper package ASAP.
For more details about the security issues, and other related information, refer to the CVE pages.
Debian Security Advisory References:
Security Database References (CVE):
- These issue have been fixed on Debian 9 (Stretch) in version 1.10.28-0+deb9u1.
- These issue have been fixed on Debian 8 (Jessie) in version 1.8.22-0+deb8u2.
Run the following command to install the above updates.
$ sudo apt install --only-upgrade dbus or $ sudo apt install unattended-upgrades
The installed security fixes can be verified in the package change log using the following methods.
Using manual method.
$ zgrep -i "CVE-2019-12749" /usr/share/doc/dbus/changelog.Debian.gz
Using debsecan command.
$ debsecan | grep CVE-2019-12749