Detections
Analytics

Debian DSA-3099-1 : dbus - security update

low Nessus Plugin ID 79886

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Simon McVittie discovered that the fix for CVE-2014-3636 was incorrect, as it did not fully address the underlying denial-of-service vector. This update starts the D-Bus daemon as root initially, so that it can properly raise its file descriptor count.

In addition, this update reverts the auth_timeout change in the previous security update to its old value because the new value causes boot failures on some systems. See the README.Debian file for details how to harden the D-Bus daemon against malicious local users.

Solution

Upgrade the dbus packages.

For the stable distribution (wheezy), these problem have been fixed in version 1.6.8-1+deb7u5.

For the upcoming stable distribution (jessie) and the unstable distribution (sid), these problem have been fixed in version 1.8.10-1.

See Also

https://security-tracker.debian.org/tracker/CVE-2014-3636

https://packages.debian.org/source/wheezy/dbus

https://www.debian.org/security/2014/dsa-3099

Plugin Details

Severity: Low

ID: 79886

File Name: debian_DSA-3099.nasl

Version: 1.8

Type: local

Agent: unix

Published: 12/15/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:dbus, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2014

Reference Information

CVE: CVE-2014-7824

BID: 71012

DSA: 3099