Search...

Fedora Update for mingw-dbus FEDORA-2014-17595

2015-01-05T00:00:00

ID OPENVAS:1361412562310868813
Type openvas
Reporter Copyright (C) 2015 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for mingw-dbus FEDORA-2014-17595
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.868813");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2015-01-05 14:55:24 +0100 (Mon, 05 Jan 2015)");
  script_cve_id("CVE-2014-7824", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-3636",
                "CVE-2014-3637", "CVE-2014-3635", "CVE-2014-3477", "CVE-2014-3533",
                "CVE-2014-3532");
  script_tag(name:"cvss_base", value:"4.4");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:P/I:P/A:P");
  script_name("Fedora Update for mingw-dbus FEDORA-2014-17595");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'mingw-dbus'
  package(s) announced via the referenced advisory.");
  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
  script_tag(name:"affected", value:"mingw-dbus on Fedora 21");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_xref(name:"FEDORA", value:"2014-17595");
  script_xref(name:"URL", value:"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147327.html");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC21");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC21")
{

  if ((res = isrpmvuln(pkg:"mingw-dbus", rpm:"mingw-dbus~1.8.12~1.fc21", rls:"FC21")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310868813", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for mingw-dbus FEDORA-2014-17595", "description": "The remote host is missing an update for the ", "published": "2015-01-05T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868813", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147327.html", "2014-17595"], "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "lastseen": "2019-05-29T18:36:17", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2016-1037.NASL", "FEDORA_2014-16227.NASL", "GENTOO_GLSA-201412-12.NASL", "MANDRIVA_MDVSA-2014-214.NASL", "OPENSUSE-2014-557.NASL", "FEDORA_2014-16147.NASL", "FEDORA_2014-17595.NASL", "MANDRIVA_MDVSA-2015-176.NASL", "OPENSUSE-2014-558.NASL", "FEDORA_2014-17570.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310868618", "OPENVAS:1361412562310868585", "OPENVAS:1361412562310841972", "OPENVAS:1361412562310868788", "OPENVAS:1361412562310121298", "OPENVAS:1361412562310868756", "OPENVAS:1361412562310703026", "OPENVAS:1361412562311220161037", "OPENVAS:1361412562310869024", "OPENVAS:1361412562310869014"]}, {"type": "fedora", "idList": ["FEDORA:1119D60877A4", "FEDORA:D5EC06087CBD", "FEDORA:CAD776087879", "FEDORA:AC68E60876CB", "FEDORA:44EE260874C7", "FEDORA:667326092056", "FEDORA:B2442605DFD1", "FEDORA:36C6A23F58"]}, {"type": "gentoo", "idList": ["GLSA-201412-12"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13895", "SECURITYVULNS:DOC:30965", "SECURITYVULNS:DOC:31096", "SECURITYVULNS:DOC:31403", "SECURITYVULNS:VULN:13974", "SECURITYVULNS:DOC:31682"]}, {"type": "freebsd", "idList": ["E6A7636A-02D0-11E4-88B6-080027671656", "52BBC7E8-F13C-11E3-BC09-BCAEC565249C", "C1930F45-6982-11E4-80E1-BCAEC565249C", "38242D51-3E58-11E4-AC2F-BCAEC565249C"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3026-1:0453E", "DEBIAN:DSA-2971-1:10302", "DEBIAN:DLA-87-1:B379F", "DEBIAN:DSA-3099-1:DAD5F"]}, {"type": "ubuntu", "idList": ["USN-2275-1", "USN-2425-1", "USN-2352-1"]}, {"type": "cve", "idList": ["CVE-2014-3533", "CVE-2014-7824", "CVE-2014-3639", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3477", "CVE-2014-3635", "CVE-2014-3532", "CVE-2014-3636"]}, {"type": "f5", "idList": ["F5:K17255", "SOL17256", "SOL17257", "F5:K17257", "SOL17255", "F5:K17256"]}, {"type": "archlinux", "idList": ["ASA-201411-28"]}, {"type": "suse", "idList": ["SUSE-SU-2014:1146-1", "SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1"]}], "modified": "2019-05-29T18:36:17", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2019-05-29T18:36:17", "rev": 2}, "vulnersScore": 6.2}, "pluginID": "1361412562310868813", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-dbus FEDORA-2014-17595\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868813\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:55:24 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-7824\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-3636\",\n \"CVE-2014-3637\", \"CVE-2014-3635\", \"CVE-2014-3477\", \"CVE-2014-3533\",\n \"CVE-2014-3532\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mingw-dbus FEDORA-2014-17595\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-dbus'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mingw-dbus on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17595\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147327.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-dbus\", rpm:\"mingw-dbus~1.8.12~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}

{"openvas": [{"lastseen": "2019-05-29T18:37:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "description": "Check the version of dbus", "modified": "2019-03-15T00:00:00", "published": "2014-12-14T00:00:00", "id": "OPENVAS:1361412562310868585", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868585", "type": "openvas", "title": "Fedora Update for dbus FEDORA-2014-16243", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dbus FEDORA-2014-16243\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868585\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-14 06:02:00 +0100 (Sun, 14 Dec 2014)\");\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\",\n \"CVE-2014-3639\", \"CVE-2014-7824\", \"CVE-2014-3477\", \"CVE-2014-3532\",\n \"CVE-2014-3533\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for dbus FEDORA-2014-16243\");\n script_tag(name:\"summary\", value:\"Check the version of dbus\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dbus on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-16243\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146098.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"dbus\", rpm:\"dbus~1.6.28~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "description": "Gentoo Linux Local Security Checks GLSA 201412-12", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121298", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121298", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201412-12", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201412-12.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121298\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:09 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201412-12\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in D-Bus. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201412-12\");\n script_cve_id(\"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201412-12\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"sys-apps/dbus\", unaffected: make_list(\"ge 1.8.10\"), vulnerable: make_list(\"lt 1.8.10\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-01-05T00:00:00", "id": "OPENVAS:1361412562310868788", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868788", "type": "openvas", "title": "Fedora Update for mingw-dbus FEDORA-2014-17570", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-dbus FEDORA-2014-17570\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868788\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:51:47 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-7824\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-3636\",\n \"CVE-2014-3637\", \"CVE-2014-3635\", \"CVE-2014-3477\", \"CVE-2014-3533\",\n \"CVE-2014-3532\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for mingw-dbus FEDORA-2014-17570\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-dbus'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mingw-dbus on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17570\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147337.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-dbus\", rpm:\"mingw-dbus~1.6.28~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:39:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2015-0245", "CVE-2014-3639"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220161037", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220161037", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for dbus (EulerOS-SA-2016-1037)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2016.1037\");\n script_version(\"2020-01-23T10:39:53+0000\");\n script_cve_id(\"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\", \"CVE-2015-0245\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:39:53 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:39:53 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for dbus (EulerOS-SA-2016-1037)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2016-1037\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1037\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'dbus' package(s) announced via the EulerOS-SA-2016-1037 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.(CVE-2014-3532)\n\ndbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.(CVE-2014-3533)\n\nD-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.(CVE-2015-0245)\n\nD-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.(CVE-2014-3636)\n\nThe dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.(CVE-2014-3477)\n\nD-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.(CVE-2014-3637)\n\nOff-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.(CVE-2014-3635)\n\nThe bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'dbus' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dbus\", rpm:\"dbus~1.6.12~11.h10\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dbus-devel\", rpm:\"dbus-devel~1.6.12~11.h10\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dbus-libs\", rpm:\"dbus-libs~1.6.12~11.h10\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dbus-x11\", rpm:\"dbus-x11~1.6.12~11.h10\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2015-0245", "CVE-2014-3639"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-02-20T00:00:00", "id": "OPENVAS:1361412562310869024", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869024", "type": "openvas", "title": "Fedora Update for dbus FEDORA-2015-2060", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dbus FEDORA-2015-2060\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869024\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-20 05:45:50 +0100 (Fri, 20 Feb 2015)\");\n script_cve_id(\"CVE-2015-0245\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\",\n \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\", \"CVE-2014-3477\",\n \"CVE-2014-3532\", \"CVE-2014-3533\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for dbus FEDORA-2015-2060\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dbus'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dbus on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-2060\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150150.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"dbus\", rpm:\"dbus~1.6.30~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2013-2168", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "description": "Check the version of dbus", "modified": "2019-03-15T00:00:00", "published": "2014-12-20T00:00:00", "id": "OPENVAS:1361412562310868618", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868618", "type": "openvas", "title": "Fedora Update for dbus FEDORA-2014-16227", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dbus FEDORA-2014-16227\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868618\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-20 05:57:44 +0100 (Sat, 20 Dec 2014)\");\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\",\n \"CVE-2014-3639\", \"CVE-2014-7824\", \"CVE-2014-3477\", \"CVE-2014-3532\",\n \"CVE-2014-3533\", \"CVE-2013-2168\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for dbus FEDORA-2014-16227\");\n script_tag(name:\"summary\", value:\"Check the version of dbus\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dbus on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-16227\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146403.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"dbus\", rpm:\"dbus~1.6.28~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-7824", "CVE-2014-3639"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-01-05T00:00:00", "id": "OPENVAS:1361412562310868756", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868756", "type": "openvas", "title": "Fedora Update for dbus FEDORA-2014-16147", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dbus FEDORA-2014-16147\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868756\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:49:11 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\",\n \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for dbus FEDORA-2014-16147\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dbus'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dbus on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-16147\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146313.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"dbus\", rpm:\"dbus~1.8.12~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-09-23T00:00:00", "id": "OPENVAS:1361412562310841972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841972", "type": "openvas", "title": "Ubuntu Update for dbus USN-2352-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2352_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for dbus USN-2352-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841972\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-09-23 05:53:39 +0200 (Tue, 23 Sep 2014)\");\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\",\n \"CVE-2014-3639\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Ubuntu Update for dbus USN-2352-1\");\n script_tag(name:\"insight\", value:\"Simon McVittie discovered that DBus\nincorrectly handled the file descriptors message limit. A local attacker\ncould use this issue to cause DBus to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. This issue only applied to\nUbuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3635)\n\nAlban Crequy discovered that DBus incorrectly handled a large number of\nfile descriptor messages. A local attacker could use this issue to cause\nDBus to stop responding, resulting in a denial of service. This issue only\napplied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3636)\n\nAlban Crequy discovered that DBus incorrectly handled certain file\ndescriptor messages. A local attacker could use this issue to cause DBus\nto maintain persistent connections, possibly resulting in a denial of\nservice. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.\n(CVE-2014-3637)\n\nAlban Crequy discovered that DBus incorrectly handled a large number of\nparallel connections and parallel message calls. A local attacker could use\nthis issue to cause DBus to consume resources, possibly resulting in a\ndenial of service. (CVE-2014-3638)\n\nAlban Crequy discovered that DBus incorrectly handled incomplete\nconnections. A local attacker could use this issue to cause DBus to fail\nlegitimate connection attempts, resulting in a denial of service.\n(CVE-2014-3639)\");\n script_tag(name:\"affected\", value:\"dbus on Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"USN\", value:\"2352-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2352-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dbus'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|10\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.6.18-0ubuntu4.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libdbus-1-3:i386\", ver:\"1.6.18-0ubuntu4.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libdbus-1-3:amd64\", ver:\"1.6.18-0ubuntu4.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.4.18-1ubuntu1.6\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.4.18-1ubuntu1.6\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.2.16-2ubuntu4.8\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.2.16-2ubuntu4.8\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "Alban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon.\n\nCVE-2014-3635\nOn 64-bit platforms, file descriptor passing could be abused by\nlocal users to cause heap corruption in dbus-daemon,\nleading to a crash, or potentially to arbitrary code execution.\n\nCVE-2014-3636\nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits.\n\nCVE-2014-3637\nMalicious local users could create D-Bus connections to\ndbus-daemon which could not be terminated by killing the\nparticipating processes, resulting in a denial-of-service\nvulnerability.\n\nCVE-2014-3638\ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon.\n\nCVE-2014-3639\ndbus-daemon did not properly reject malicious connections from\nlocal users, resulting in a denial-of-service vulnerability.", "modified": "2019-03-19T00:00:00", "published": "2014-09-16T00:00:00", "id": "OPENVAS:1361412562310703026", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703026", "type": "openvas", "title": "Debian Security Advisory DSA 3026-1 (dbus - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3026.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 3026-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703026\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\");\n script_name(\"Debian Security Advisory DSA 3026-1 (dbus - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-09-16 00:00:00 +0200 (Tue, 16 Sep 2014)\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3026.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"dbus on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), these problems have been fixed in\nversion 1.6.8-1+deb7u4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.8.8-1.\n\nWe recommend that you upgrade your dbus packages.\");\n script_tag(name:\"summary\", value:\"Alban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon.\n\nCVE-2014-3635\nOn 64-bit platforms, file descriptor passing could be abused by\nlocal users to cause heap corruption in dbus-daemon,\nleading to a crash, or potentially to arbitrary code execution.\n\nCVE-2014-3636\nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits.\n\nCVE-2014-3637\nMalicious local users could create D-Bus connections to\ndbus-daemon which could not be terminated by killing the\nparticipating processes, resulting in a denial-of-service\nvulnerability.\n\nCVE-2014-3638\ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon.\n\nCVE-2014-3639\ndbus-daemon did not properly reject malicious connections from\nlocal users, resulting in a denial-of-service vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"dbus-1-dbg\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"dbus-1-doc\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"dbus-x11\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libdbus-1-dev\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-08-02T10:49:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "Alban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon.\n\nCVE-2014-3635 \nOn 64-bit platforms, file descriptor passing could be abused by\nlocal users to cause heap corruption in dbus-daemon,\nleading to a crash, or potentially to arbitrary code execution.\n\nCVE-2014-3636 \nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits.\n\nCVE-2014-3637 \nMalicious local users could create D-Bus connections to\ndbus-daemon which could not be terminated by killing the\nparticipating processes, resulting in a denial-of-service\nvulnerability.\n\nCVE-2014-3638 \ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon.\n\nCVE-2014-3639 \ndbus-daemon did not properly reject malicious connections from\nlocal users, resulting in a denial-of-service vulnerability.", "modified": "2017-07-18T00:00:00", "published": "2014-09-16T00:00:00", "id": "OPENVAS:703026", "href": "http://plugins.openvas.org/nasl.php?oid=703026", "type": "openvas", "title": "Debian Security Advisory DSA 3026-1 (dbus - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3026.nasl 6750 2017-07-18 09:56:47Z teissa $\n# Auto-generated from advisory DSA 3026-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703026);\n script_version(\"$Revision: 6750 $\");\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\");\n script_name(\"Debian Security Advisory DSA 3026-1 (dbus - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-18 11:56:47 +0200 (Tue, 18 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-09-16 00:00:00 +0200 (Tue, 16 Sep 2014)\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3026.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"dbus on Debian Linux\");\n script_tag(name: \"insight\", value: \"D-Bus is a message bus, used for sending messages between applications.\nConceptually, it fits somewhere in between raw sockets and CORBA in\nterms of complexity.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy), these problems have been fixed in\nversion 1.6.8-1+deb7u4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.8.8-1.\n\nWe recommend that you upgrade your dbus packages.\");\n script_tag(name: \"summary\", value: \"Alban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon.\n\nCVE-2014-3635 \nOn 64-bit platforms, file descriptor passing could be abused by\nlocal users to cause heap corruption in dbus-daemon,\nleading to a crash, or potentially to arbitrary code execution.\n\nCVE-2014-3636 \nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits.\n\nCVE-2014-3637 \nMalicious local users could create D-Bus connections to\ndbus-daemon which could not be terminated by killing the\nparticipating processes, resulting in a denial-of-service\nvulnerability.\n\nCVE-2014-3638 \ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon.\n\nCVE-2014-3639 \ndbus-daemon did not properly reject malicious connections from\nlocal users, resulting in a denial-of-service vulnerability.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-dbg\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-doc\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-x11\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-dev\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-dbg\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-doc\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-x11\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-dev\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-dbg\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-doc\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-x11\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-dev\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-dbg\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-1-doc\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dbus-x11\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-3\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdbus-1-dev\", ver:\"1.6.8-1+deb7u4\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "description": "### Background\n\nD-Bus is a message bus system, a simple way for applications to talk to one another. \n\n### Description\n\nMultiple vulnerabilities have been discovered in D-Bus. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll D-Bus users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-apps/dbus-1.8.10\"", "edition": 1, "modified": "2014-12-13T00:00:00", "published": "2014-12-13T00:00:00", "id": "GLSA-201412-12", "href": "https://security.gentoo.org/glsa/201412-12", "type": "gentoo", "title": "D-Bus: Multiple Vulnerabilities", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3477", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2014-12-13T09:47:30", "published": "2014-12-13T09:47:30", "id": "FEDORA:667326092056", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: dbus-1.6.28-1.fc20", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3477", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2015-01-02T05:04:52", "published": "2015-01-02T05:04:52", "id": "FEDORA:AC68E60876CB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: mingw-dbus-1.6.28-1.fc20", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3477", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2015-01-02T05:03:51", "published": "2015-01-02T05:03:51", "id": "FEDORA:1119D60877A4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: mingw-dbus-1.8.12-1.fc21", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2168", "CVE-2014-3477", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2014-12-19T18:26:33", "published": "2014-12-19T18:26:33", "id": "FEDORA:CAD776087879", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: dbus-1.6.28-1.fc19", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3477", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824", "CVE-2015-0245"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2015-02-19T18:01:40", "published": "2015-02-19T18:01:40", "id": "FEDORA:D5EC06087CBD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: dbus-1.6.30-1.fc20", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2014-12-17T04:46:59", "published": "2014-12-17T04:46:59", "id": "FEDORA:B2442605DFD1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: dbus-1.8.12-1.fc21", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3635", "CVE-2014-3636", "CVE-2014-3637", "CVE-2014-3638", "CVE-2014-3639", "CVE-2014-7824", "CVE-2015-0245"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2015-02-16T03:26:31", "published": "2015-02-16T03:26:31", "id": "FEDORA:44EE260874C7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: dbus-1.8.16-1.fc21", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3477", "CVE-2014-3532", "CVE-2014-3533"], "description": "D-BUS is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. ", "modified": "2014-07-08T01:04:40", "published": "2014-07-08T01:04:40", "id": "FEDORA:36C6A23F58", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: dbus-1.6.12-9.fc20", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-12T10:12:27", "description": " - Update to 1.8.12\\\\r\\\\n* Fixes various CVE's\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2015-01-02T00:00:00", "title": "Fedora 20 : mingw-dbus-1.6.28-1.fc20 (2014-17570)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "modified": "2015-01-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mingw-dbus", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-17570.NASL", "href": "https://www.tenable.com/plugins/nessus/80317", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-17570.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80317);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_bugtraq_id(67986, 68337, 68339, 69829, 69831, 69832, 69833, 69834, 71012);\n script_xref(name:\"FEDORA\", value:\"2014-17570\");\n\n script_name(english:\"Fedora 20 : mingw-dbus-1.6.28-1.fc20 (2014-17570)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 1.8.12\\\\r\\\\n* Fixes various CVE's\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1115637\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1117395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1142582\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1173557\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147337.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9b30848c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-dbus package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"mingw-dbus-1.6.28-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-dbus\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:27", "description": " - Update to 1.8.12\\\\r\\\\n* Fixes various CVE's\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2015-01-02T00:00:00", "title": "Fedora 21 : mingw-dbus-1.8.12-1.fc21 (2014-17595)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "modified": "2015-01-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:mingw-dbus"], "id": "FEDORA_2014-17595.NASL", "href": "https://www.tenable.com/plugins/nessus/80323", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-17595.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80323);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_bugtraq_id(67986, 68337, 68339, 69829, 69831, 69832, 69833, 69834, 71012);\n script_xref(name:\"FEDORA\", value:\"2014-17595\");\n\n script_name(english:\"Fedora 21 : mingw-dbus-1.8.12-1.fc21 (2014-17595)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 1.8.12\\\\r\\\\n* Fixes various CVE's\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1115637\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1117395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1142582\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1173557\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147327.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?263eaeff\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-dbus package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"mingw-dbus-1.8.12-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-dbus\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:56:36", "description": "The remote host is affected by the vulnerability described in GLSA-201412-12\n(D-Bus: Multiple Vulnerabilities)\n\n Multiple vulnerabilities have been discovered in D-Bus. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A local attacker could possibly cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 20, "published": "2014-12-15T00:00:00", "title": "GLSA-201412-12 : D-Bus: Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2014-3639"], "modified": "2014-12-15T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:dbus"], "id": "GENTOO_GLSA-201412-12.NASL", "href": "https://www.tenable.com/plugins/nessus/79965", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201412-12.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79965);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_bugtraq_id(67986, 68337, 68339, 69829, 69831, 69832, 69833, 69834, 71012);\n script_xref(name:\"GLSA\", value:\"201412-12\");\n\n script_name(english:\"GLSA-201412-12 : D-Bus: Multiple Vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201412-12\n(D-Bus: Multiple Vulnerabilities)\n\n Multiple vulnerabilities have been discovered in D-Bus. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A local attacker could possibly cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201412-12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All D-Bus users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-apps/dbus-1.8.10'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-apps/dbus\", unaffected:make_list(\"ge 1.8.10\"), vulnerable:make_list(\"lt 1.8.10\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"D-Bus\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:45:36", "description": "Updated dbus packages fix multiple vulnerabilities :\n\nA denial of service vulnerability in D-Bus before 1.6.20 allows a\nlocal attacker to cause a bus-activated service that is not currently\nrunning to attempt to start, and fail, denying other users access to\nthis service Additionally, in highly unusual environments the same\nflaw could lead to a side channel between processes that should not be\nable to communicate (CVE-2014-3477).\n\nA flaw was reported in D-Bus's file descriptor passing feature. A\nlocal attacker could use this flaw to cause a service or application\nto disconnect from the bus, typically resulting in that service or\napplication exiting (CVE-2014-3532).\n\nA flaw was reported in D-Bus's file descriptor passing feature. A\nlocal attacker could use this flaw to cause an invalid file descriptor\nto be forwarded to a service or application, causing it to disconnect\nfrom the bus, typically resulting in that service or application\nexiting (CVE-2014-3533).\n\nOn 64-bit platforms, file descriptor passing could be abused by local\nusers to cause heap corruption in dbus-daemon, leading to a crash, or\npotentially to arbitrary code execution (CVE-2014-3635).\n\nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits (CVE-2014-3636).\n\nMalicious local users could create D-Bus connections to dbus-daemon\nwhich could not be terminated by killing the participating processes,\nresulting in a denial-of-service vulnerability (CVE-2014-3637).\n\ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon (CVE-2014-3638).\n\ndbus-daemon did not properly reject malicious connections from local\nusers, resulting in a denial-of-service vulnerability (CVE-2014-3639).\n\nThe patch issued by the D-Bus maintainers for CVE-2014-3636 was based\non incorrect reasoning, and does not fully prevent the attack\ndescribed as CVE-2014-3636 part A, which is repeated below. Preventing\nthat attack requires raising the system dbus-daemon's RLIMIT_NOFILE\n(ulimit -n) to a higher value.\n\nBy queuing up the maximum allowed number of fds, a malicious sender\ncould reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n,\ntypically 1024 on Linux). This would act as a denial of service in two\nways :\n\n - new clients would be unable to connect to the\n dbus-daemon\n\n - when receiving a subsequent message from a non-malicious\n client that contained a fd, dbus-daemon would receive\n the MSG_CTRUNC flag, indicating that the list of fds was\n truncated; kernel fd-passing APIs do not provide any way\n to recover from that, so dbus-daemon responds to\n MSG_CTRUNC by disconnecting the sender, causing denial\n of service to that sender.\n\nThis update resolves the issue (CVE-2014-7824).\n\nnon-systemd processes can make dbus-daemon think systemd failed to\nactivate a system service, resulting in an error reply back to the\nrequester, causing a local denial of service (CVE-2015-0245).", "edition": 24, "published": "2015-03-31T00:00:00", "title": "Mandriva Linux Security Advisory : dbus (MDVSA-2015:176)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2015-0245", "CVE-2014-3639"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:dbus-doc", "p-cpe:/a:mandriva:linux:lib64dbus-devel", "p-cpe:/a:mandriva:linux:dbus-x11", "cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:dbus", "p-cpe:/a:mandriva:linux:lib64dbus1_3"], "id": "MANDRIVA_MDVSA-2015-176.NASL", "href": "https://www.tenable.com/plugins/nessus/82451", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:176. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82451);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/08/02 13:32:57\");\n\n script_cve_id(\"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\", \"CVE-2015-0245\");\n script_xref(name:\"MDVSA\", value:\"2015:176\");\n\n script_name(english:\"Mandriva Linux Security Advisory : dbus (MDVSA-2015:176)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated dbus packages fix multiple vulnerabilities :\n\nA denial of service vulnerability in D-Bus before 1.6.20 allows a\nlocal attacker to cause a bus-activated service that is not currently\nrunning to attempt to start, and fail, denying other users access to\nthis service Additionally, in highly unusual environments the same\nflaw could lead to a side channel between processes that should not be\nable to communicate (CVE-2014-3477).\n\nA flaw was reported in D-Bus's file descriptor passing feature. A\nlocal attacker could use this flaw to cause a service or application\nto disconnect from the bus, typically resulting in that service or\napplication exiting (CVE-2014-3532).\n\nA flaw was reported in D-Bus's file descriptor passing feature. A\nlocal attacker could use this flaw to cause an invalid file descriptor\nto be forwarded to a service or application, causing it to disconnect\nfrom the bus, typically resulting in that service or application\nexiting (CVE-2014-3533).\n\nOn 64-bit platforms, file descriptor passing could be abused by local\nusers to cause heap corruption in dbus-daemon, leading to a crash, or\npotentially to arbitrary code execution (CVE-2014-3635).\n\nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits (CVE-2014-3636).\n\nMalicious local users could create D-Bus connections to dbus-daemon\nwhich could not be terminated by killing the participating processes,\nresulting in a denial-of-service vulnerability (CVE-2014-3637).\n\ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon (CVE-2014-3638).\n\ndbus-daemon did not properly reject malicious connections from local\nusers, resulting in a denial-of-service vulnerability (CVE-2014-3639).\n\nThe patch issued by the D-Bus maintainers for CVE-2014-3636 was based\non incorrect reasoning, and does not fully prevent the attack\ndescribed as CVE-2014-3636 part A, which is repeated below. Preventing\nthat attack requires raising the system dbus-daemon's RLIMIT_NOFILE\n(ulimit -n) to a higher value.\n\nBy queuing up the maximum allowed number of fds, a malicious sender\ncould reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n,\ntypically 1024 on Linux). This would act as a denial of service in two\nways :\n\n - new clients would be unable to connect to the\n dbus-daemon\n\n - when receiving a subsequent message from a non-malicious\n client that contained a fd, dbus-daemon would receive\n the MSG_CTRUNC flag, indicating that the list of fds was\n truncated; kernel fd-passing APIs do not provide any way\n to recover from that, so dbus-daemon responds to\n MSG_CTRUNC by disconnecting the sender, causing denial\n of service to that sender.\n\nThis update resolves the issue (CVE-2014-7824).\n\nnon-systemd processes can make dbus-daemon think systemd failed to\nactivate a system service, resulting in an error reply back to the\nrequester, causing a local denial of service (CVE-2015-0245).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0266.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0294.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0395.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0457.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0071.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dbus-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dbus-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64dbus-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64dbus1_3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"dbus-1.6.18-3.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"dbus-doc-1.6.18-3.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"dbus-x11-1.6.18-3.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64dbus-devel-1.6.18-3.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64dbus1_3-1.6.18-3.1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:51:43", "description": "According to the versions of the dbus packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - D-BUS is a system for sending messages between\n applications. It is used both for the system-wide\n message bus service, and as a per-user-login-session\n messaging facility.\n\n - Security Fix(es)\n\n - dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when\n running on Linux 2.6.37-rc4 or later, allows local\n users to cause a denial of service (system-bus\n disconnect of other services or applications) by\n sending a message containing a file descriptor, then\n exceeding the maximum recursion depth before the\n initial message is forwarded.(CVE-2014-3532)\n\n - dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows\n local users to cause a denial of service (disconnect)\n via a certain sequence of crafted messages that cause\n the dbus-daemon to forward a message containing an\n invalid file descriptor.(CVE-2014-3533)\n\n - D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before\n 1.8.16, and 1.9.x before 1.9.10 does not validate the\n source of ActivationFailure signals, which allows local\n users to cause a denial of service (activation failure\n error returned) by leveraging a race condition\n involving sending an ActivationFailure signal before\n systemd responds.(CVE-2015-0245)\n\n - D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x\n before 1.8.8 allows local users to (1) cause a denial\n of service (prevention of new connections and\n connection drop) by queuing the maximum number of file\n descriptors or (2) cause a denial of service\n (disconnect) via multiple messages that combine to have\n more than the allowed number of file descriptors for a\n single sendmsg call.(CVE-2014-3636)\n\n - The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x\n before 1.6.20, and 1.8.x before 1.8.4, sends an\n AccessDenied error to the service instead of a client\n when the client is prohibited from accessing the\n service, which allows local users to cause a denial of\n service (initialization failure and exit) or possibly\n conduct a side-channel attack via a D-Bus message to an\n inactive service.(CVE-2014-3477)\n\n - D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x\n before 1.8.8 does not properly close connections for\n processes that have terminated, which allows local\n users to cause a denial of service via a D-bus message\n containing a D-Bus connection file\n descriptor.(CVE-2014-3637)\n\n - Off-by-one error in D-Bus 1.3.0 through 1.6.x before\n 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit\n system and the max_message_unix_fds limit is set to an\n odd number, allows local users to cause a denial of\n service (dbus-daemon crash) or possibly execute\n arbitrary code by sending one more file descriptor than\n the limit, which triggers a heap-based buffer overflow\n or an assertion failure.(CVE-2014-3635)\n\n - The bus_connections_check_reply function in\n config-parser.c in D-Bus before 1.6.24 and 1.8.x before\n 1.8.8 allows local users to cause a denial of service\n (CPU consumption) via a large number of method\n calls.(CVE-2014-3638)\n\n - The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before\n 1.8.8 does not properly close old connections, which\n allows local users to cause a denial of service\n (incomplete connection consumption and prevention of\n new connections) via a large number of incomplete\n connections.(CVE-2014-3639)\n\n - D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before\n 1.8.10, and 1.9.x before 1.9.2 allows local users to\n cause a denial of service (prevention of new\n connections and connection drop) by queuing the maximum\n number of file descriptors. NOTE: this vulnerability\n exists because of an incomplete fix for\n CVE-2014-3636.1.(CVE-2014-7824)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : dbus (EulerOS-SA-2016-1037)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-7824", "CVE-2015-0245", "CVE-2014-3639"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dbus-libs", "p-cpe:/a:huawei:euleros:dbus-x11", "p-cpe:/a:huawei:euleros:dbus-devel", "p-cpe:/a:huawei:euleros:dbus", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2016-1037.NASL", "href": "https://www.tenable.com/plugins/nessus/99800", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99800);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2014-3477\",\n \"CVE-2014-3532\",\n \"CVE-2014-3533\",\n \"CVE-2014-3635\",\n \"CVE-2014-3636\",\n \"CVE-2014-3637\",\n \"CVE-2014-3638\",\n \"CVE-2014-3639\",\n \"CVE-2014-7824\",\n \"CVE-2015-0245\"\n );\n script_bugtraq_id(\n 67986,\n 68337,\n 68339,\n 69829,\n 69831,\n 69832,\n 69833,\n 69834,\n 71012,\n 72545\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : dbus (EulerOS-SA-2016-1037)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the dbus packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - D-BUS is a system for sending messages between\n applications. It is used both for the system-wide\n message bus service, and as a per-user-login-session\n messaging facility.\n\n - Security Fix(es)\n\n - dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when\n running on Linux 2.6.37-rc4 or later, allows local\n users to cause a denial of service (system-bus\n disconnect of other services or applications) by\n sending a message containing a file descriptor, then\n exceeding the maximum recursion depth before the\n initial message is forwarded.(CVE-2014-3532)\n\n - dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows\n local users to cause a denial of service (disconnect)\n via a certain sequence of crafted messages that cause\n the dbus-daemon to forward a message containing an\n invalid file descriptor.(CVE-2014-3533)\n\n - D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before\n 1.8.16, and 1.9.x before 1.9.10 does not validate the\n source of ActivationFailure signals, which allows local\n users to cause a denial of service (activation failure\n error returned) by leveraging a race condition\n involving sending an ActivationFailure signal before\n systemd responds.(CVE-2015-0245)\n\n - D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x\n before 1.8.8 allows local users to (1) cause a denial\n of service (prevention of new connections and\n connection drop) by queuing the maximum number of file\n descriptors or (2) cause a denial of service\n (disconnect) via multiple messages that combine to have\n more than the allowed number of file descriptors for a\n single sendmsg call.(CVE-2014-3636)\n\n - The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x\n before 1.6.20, and 1.8.x before 1.8.4, sends an\n AccessDenied error to the service instead of a client\n when the client is prohibited from accessing the\n service, which allows local users to cause a denial of\n service (initialization failure and exit) or possibly\n conduct a side-channel attack via a D-Bus message to an\n inactive service.(CVE-2014-3477)\n\n - D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x\n before 1.8.8 does not properly close connections for\n processes that have terminated, which allows local\n users to cause a denial of service via a D-bus message\n containing a D-Bus connection file\n descriptor.(CVE-2014-3637)\n\n - Off-by-one error in D-Bus 1.3.0 through 1.6.x before\n 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit\n system and the max_message_unix_fds limit is set to an\n odd number, allows local users to cause a denial of\n service (dbus-daemon crash) or possibly execute\n arbitrary code by sending one more file descriptor than\n the limit, which triggers a heap-based buffer overflow\n or an assertion failure.(CVE-2014-3635)\n\n - The bus_connections_check_reply function in\n config-parser.c in D-Bus before 1.6.24 and 1.8.x before\n 1.8.8 allows local users to cause a denial of service\n (CPU consumption) via a large number of method\n calls.(CVE-2014-3638)\n\n - The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before\n 1.8.8 does not properly close old connections, which\n allows local users to cause a denial of service\n (incomplete connection consumption and prevention of\n new connections) via a large number of incomplete\n connections.(CVE-2014-3639)\n\n - D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before\n 1.8.10, and 1.9.x before 1.9.2 allows local users to\n cause a denial of service (prevention of new\n connections and connection drop) by queuing the maximum\n number of file descriptors. NOTE: this vulnerability\n exists because of an incomplete fix for\n CVE-2014-3636.1.(CVE-2014-7824)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1037\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1934dffa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dbus packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dbus-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dbus-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dbus-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dbus-1.6.12-11.h10\",\n \"dbus-devel-1.6.12-11.h10\",\n \"dbus-libs-1.6.12-11.h10\",\n \"dbus-x11-1.6.12-11.h10\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dbus\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T16:34:21", "description": "DBUS-1 was upgraded to upstream release 1.8.\n\nThis brings the version of dbus to the latest stable release from an\nunstable snapshot 1.7.4 that is know to have several regressions\n\n - Upstream changes since 1.7.4 :\n\n + Security fixes :\n\n - Do not accept an extra fd in the padding of a cmsg\n message, which could lead to a 4-byte heap buffer\n overrun. (CVE-2014-3635, fdo#83622; Simon McVittie)\n\n - Reduce default for maximum Unix file descriptors passed\n per message from 1024 to 16, preventing a uid with the\n default maximum number of connections from exhausting\n the system bus' file descriptors under Linux's default\n rlimit. Distributors or system administrators with a\n restrictive fd limit may wish to reduce these limits\n further. Additionally, on Linux this prevents a second\n denial of service in which the dbus-daemon can be made\n to exceed the maximum number of fds per sendmsg() and\n disconnect the process that would have received them.\n (CVE-2014-3636, fdo#82820; Alban Crequy)\n\n - Disconnect connections that still have a fd pending\n unmarshalling after a new configurable limit,\n pending_fd_timeout (defaulting to 150 seconds), removing\n the possibility of creating an abusive connection that\n cannot be disconnected by setting up a circular\n reference to a connection's file descriptor.\n (CVE-2014-3637, fdo#80559; Alban Crequy)\n\n - Reduce default for maximum pending replies per\n connection from 8192 to 128, mitigating an algorithmic\n complexity denial-of-service attack (CVE-2014-3638,\n fdo#81053; Alban Crequy)\n\n - Reduce default for authentication timeout on the system\n bus from 30 seconds to 5 seconds, avoiding denial of\n service by using up all unauthenticated connection\n slots; and when all unauthenticated connection slots are\n used up, make new connection attempts block instead of\n disconnecting them. (CVE-2014-3639, fdo#80919; Alban\n Crequy)\n\n - On Linux >0 2.6.37-rc4, if sendmsg() fails with\n ETOOMANYREFS, silently drop the message. This prevents\n an attack in which a malicious client can make\n dbus-daemon disconnect a system service, which is a\n local denial of service. (fdo#80163, CVE-2014-3532;\n Alban Crequy)\n\n - Track remaining Unix file descriptors correctly when\n more than one message in quick succession contains fds.\n This prevents another attack in which a malicious client\n can make dbus-daemon disconnect a system service.\n (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro\n Martínez Suárez, Simon McVittie, Alban\n Crequy)\n\n - Alban Crequy at Collabora Ltd. discovered and fixed a\n denial-of-service flaw in dbus-daemon, part of the\n reference implementation of D-Bus. Additionally, in\n highly unusual environments the same flaw could lead to\n a side channel between processes that should not be able\n to communicate. (CVE-2014-3477, fdo#78979)\n\n + Other fixes and enhancements :\n\n - Check for libsystemd from systemd >= 209, falling back\n to the older separate libraries if not found (Umut\n Tezduyar Lindskog, Simon McVittie)\n\n - On Linux, use prctl() to disable core dumps from a test\n executable that deliberately raises SIGSEGV to test\n dbus-daemon's handling of that condition (fdo#83772,\n Simon McVittie)\n\n - Fix compilation with --enable-stats (fdo#81043, Gentoo\n #507232; Alban Crequy)\n\n - Improve documentation for running tests on Windows\n (fdo#41252, Ralf Habacker)\n\n - When dbus-launch --exit-with-session starts a\n dbus-daemon but then cannot attach to a session, kill\n the dbus-daemon as intended (fdo#74698,\n Роман\n Донченко\n )\n\n - in the CMake build system, add some hints for Linux\n users cross-compiling Windows D-Bus binaries to be able\n to run tests under Wine (fdo#41252, Ralf Habacker)\n\n - add Documentation key to dbus.service (fdo#77447,\n Cameron Norman)\n\n - in 'dbus-uuidgen --ensure', try to copy systemd's\n /etc/machine-id to /var/lib/dbus/machine-id instead of\n generating an entirely new ID (fdo#77941, Simon\n McVittie)\n\n - if dbus-launch receives an X error very quickly, do not\n kill unrelated processes (fdo#74698,\n Роман\n Донченко\n )\n\n - on Windows, allow up to 8K connections to the\n dbus-daemon, instead of the previous 64 (fdo#71297;\n Cristian Onet, Ralf Habacker)\n\n - cope with \\r\\n newlines in regression tests, since on\n Windows, dbus-daemon.exe uses text mode (fdo#75863,\n Руслан\n Ижбулато\n в)\n\n - Enhance the CMake build system to check for GLib and\n compile/run a subset of the regression tests (fdo#41252,\n fdo#73495; Ralf Habacker)\n\n - don't rely on va_copy(), use DBUS_VA_COPY() wrapper\n (fdo#72840, Ralf Habacker)\n\n - fix compilation of systemd journal support on older\n systemd versions where sd-journal.h doesn't include\n syslog.h (fdo#73455, Ralf Habacker)\n\n - fix compilation on older MSVC versions by including\n stdlib.h (fdo#73455, Ralf Habacker)\n\n - Allow <allow_anonymous/> to appear in an included\n configuration file (fdo#73475, Matt Hoosier)\n\n - If the tests crash with an assertion failure, they no\n longer default to blocking for a debugger to be\n attached. Set DBUS_BLOCK_ON_ABORT in the environment if\n you want the old behaviour.\n\n - To improve debuggability, the dbus-daemon and\n dbus-daemon-eavesdrop tests can be run with an external\n dbus-daemon by setting DBUS_TEST_DAEMON_ADDRESS in the\n environment. Test-cases that require an\n unusually-configured dbus-daemon are skipped.\n\n - don't require messages with no INTERFACE to be\n dispatched (fdo#68597, Simon McVittie)\n\n - document 'tcp:bind=...' and 'nonce-tcp:bind=...'\n (fdo#72301, Chengwei Yang)\n\n - define 'listenable' and 'connectable' addresses, and\n discuss the difference (fdo#61303, Simon McVittie)\n\n - support printing Unix file descriptors in dbus-send,\n dbus-monitor (fdo#70592, Robert Ancell)\n\n - don't install systemd units if --disable-systemd is\n given (fdo#71818, Chengwei Yang)\n\n - don't leak memory on out-of-memory while listing\n activatable or active services (fdo#71526, Radoslaw\n Pajak)\n\n - fix undefined behaviour in a regression test (fdo#69924,\n DreamNik)\n\n - escape Unix socket addresses correctly (fdo#46013,\n Chengwei Yang)\n\n - on SELinux systems, don't assume that SECCLASS_DBUS,\n DBUS__ACQUIRE_SVC and DBUS__SEND_MSG are numerically\n equal to their values in the reference policy\n (fdo#88719, osmond sun)\n\n - define PROCESS_QUERY_LIMITED_INFORMATION if missing from\n MinGW < 4 headers (fdo#71366, Matt Fischer)\n\n - define WIN32_LEAN_AND_MEAN to avoid conflicts between\n winsock.h and winsock2.h (fdo#71405, Matt Fischer)\n\n - do not return failure from _dbus_read_nonce() with no\n error set, preventing a potential crash (fdo#72298,\n Chengwei Yang)\n\n - on BSD systems, avoid some O(1)-per-process memory and\n fd leaks in kqueue, preventing test failures (fdo#69332,\n fdo#72213; Chengwei Yang)\n\n - fix warning spam on Hurd by not trying to set\n SO_REUSEADDR on Unix sockets, which doesn't do anything\n anyway on at least Linux and FreeBSD (fdo#69492, Simon\n McVittie)\n\n - fix use of TCP sockets on FreeBSD and Hurd by tolerating\n EINVAL from sendmsg() with SCM_CREDS (retrying with\n plain send()), and looking for credentials more\n correctly (fdo#69492, Simon McVittie)\n\n - ensure that tests run with a temporary XDG_RUNTIME_DIR\n to avoid getting mixed up in XDG/systemd 'user sessions'\n (fdo#61301, Simon McVittie)\n\n - refresh cached policy rules for existing connections\n when bus configuration changes (fdo#39463, Chengwei\n Yang)\n\n - If systemd support is enabled, libsystemd-journal is now\n required.\n\n - When activating a non-systemd service under systemd,\n annotate its stdout/stderr with its bus name in the\n Journal. Known limitation: because the socket is opened\n before forking, the process will still be logged as if\n it had dbus-daemon's process ID and user ID. (fdo#68559,\n Chengwei Yang)\n\n - Document more configuration elements in dbus-daemon(1)\n (fdo#69125, Chengwei Yang)\n\n - Don't leak string arrays or fds if\n dbus_message_iter_get_args_valist() unpacks them and\n then encounters an error (fdo#21259, Chengwei Yang)\n\n - If compiled with libaudit, retain CAP_AUDIT_WRITE so we\n can write disallowed method calls to the audit log,\n fixing a regression in 1.7.6 (fdo#49062, Colin Walters)\n\n - path_namespace='/' in match rules incorrectly matched\n nothing; it now matches everything. (fdo#70799, Simon\n McVittie)\n\n - Directory change notification via dnotify on Linux is no\n longer supported; it hadn't compiled successfully since\n 2010 in any case. If you don't have inotify (Linux) or\n kqueue (*BSD), you will need to send SIGHUP to the\n dbus-daemon when its configuration changes. (fdo#33001,\n Chengwei Yang)\n\n - Compiling with --disable-userdb-cache is no longer\n supported; it didn't work since at least 2008, and would\n lead to an extremely slow dbus-daemon even it worked.\n (fdo#15589, fdo#17133, fdo#66947; Chengwei Yang)\n\n - The DBUS_DISABLE_ASSERTS CMake option didn't actually\n disable most assertions. It has been renamed to\n DBUS_DISABLE_ASSERT to be consistent with the Autotools\n build system. (fdo#66142, Chengwei Yang)\n\n - --with-valgrind=auto enables Valgrind instrumentation if\n and only if valgrind headers are available. The default\n is still\n\n --with-valgrind=no. (fdo#56925, Simon McVittie)\n\n - Platforms with no 64-bit integer type are no longer\n supported. (fdo#65429, Simon McVittie)\n\n - GNU make is now (documented to be) required. (fdo#48277,\n Simon McVittie)\n\n - Full test coverage no longer requires dbus-glib,\n although the tests do not exercise the shared library\n (only a static copy) if dbus-glib is missing.\n (fdo#68852, Simon McVittie)\n\n - D-Bus Specification 0.22\n\n - Document GetAdtAuditSessionData() and\n GetConnectionSELinuxSecurityContext() (fdo#54445, Simon)\n\n - Fix example .service file (fdo#66481, Chengwei Yang)\n\n - Don't claim D-Bus is 'low-latency' (lower than what?),\n just give factual statements about it supporting async\n use (fdo#65141, Justin Lee)\n\n - Document the contents of .service files, and the fact\n that system services' filenames are constrained\n (fdo#66608; Simon McVittie, Chengwei Yang)\n\n - Be thread-safe by default on all platforms, even if\n dbus_threads_init_default() has not been called. For\n compatibility with older libdbus, library users should\n continue to call dbus_threads_init_default(): it is\n harmless to do so. (fdo#54972, Simon McVittie)\n\n - Add GetConnectionCredentials() method (fdo#54445, Simon)\n\n - New API: dbus_setenv(), a simple wrapper around\n setenv(). Note that this is not thread-safe. (fdo#39196,\n Simon)\n\n - Add dbus-send --peer=ADDRESS (connect to a given\n peer-to-peer connection, like --address=ADDRESS in\n previous versions) and dbus-send --bus=ADDRESS (connect\n to a given bus, like dbus-monitor\n\n --address=ADDRESS). dbus-send --address still exists for\n backwards compatibility, but is no longer documented.\n (fdo#48816, Andrey Mazo)\n\n - 'dbus-daemon --nofork' is allowed on Windows again.\n (fdo#68852, Simon McVittie)\n\n - Avoid an infinite busy-loop if a signal interrupts\n waitpid() (fdo#68945, Simon McVittie)\n\n - Clean up memory for parent nodes when objects are\n unexported (fdo#60176, Thomas Fitzsimmons)\n\n - Make dbus_connection_set_route_peer_messages(x, FALSE)\n behave as documented. Previously, it assumed its second\n parameter was TRUE. (fdo#69165, Chengwei Yang)\n\n - Escape addresses containing non-ASCII characters\n correctly (fdo#53499, Chengwei Yang)\n\n - Document <servicedir> search order correctly (fdo#66994,\n Chengwei Yang)\n\n - Don't crash on 'dbus-send --session / x.y.z' which\n regressed in 1.7.4. (fdo#65923, Chengwei Yang)\n\n - If malloc() returns NULL in _dbus_string_init() or\n similar, don't free an invalid pointer if the string is\n later freed (fdo#65959, Chengwei Yang)\n\n - If malloc() returns NULL in dbus_set_error(), don't\n va_end() a va_list that was never va_start()ed\n (fdo#66300, Chengwei Yang)\n\n - fix build failure with --enable-stats (fdo#66004,\n Chengwei Yang)\n\n - fix a regression test on platforms with strict alignment\n (fdo#67279, Colin Walters)\n\n - Avoid calling function parameters 'interface' since\n certain Windows headers have a namespace-polluting macro\n of that name (fdo#66493, Ivan Romanov)\n\n - Assorted Doxygen fixes (fdo#65755, Chengwei Yang)\n\n - Various thread-safety improvements to static variables\n (fdo#68610, Simon McVittie)\n\n - Make 'make -j check' work (fdo#68852, Simon McVittie)\n\n - Fix a NULL pointer dereference on an unlikely error path\n (fdo#69327, Sviatoslav Chagaev)\n\n - Improve valgrind memory pool tracking (fdo#69326,\n Sviatoslav Chagaev)\n\n - Don't over-allocate memory in dbus-monitor (fdo#69329,\n Sviatoslav Chagaev)\n\n - dbus-monitor can monitor dbus-daemon < 1.5.6 again\n (fdo#66107, Chengwei Yang)\n\n - If accept4() fails with EINVAL, as it can on older Linux\n kernels with newer glibc, try accept() instead of going\n into a busy-loop. (fdo#69026, Chengwei Yang)\n\n - If socket() or socketpair() fails with EINVAL or\n EPROTOTYPE, for instance on Hurd or older Linux with a\n new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino\n Toscano, Chengwei Yang)\n\n - Fix a file descriptor leak on an error code path.\n (fdo#69182, Sviatoslav Chagaev)\n\n - dbus-run-session: clear some unwanted environment\n variables (fdo#39196, Simon)\n\n - dbus-run-session: compile on FreeBSD (fdo#66197,\n Chengwei Yang)\n\n - Don't fail the autolaunch test if there is no DISPLAY\n (fdo#40352, Simon)\n\n - Use dbus-launch from the builddir for testing, not the\n installed copy (fdo#37849, Chengwei Yang)\n\n - Fix compilation if writev() is unavailable (fdo#69409,\n Vasiliy Balyasnyy)\n\n - Remove broken support for LOCAL_CREDS credentials\n passing, and document where each credential-passing\n scheme is used (fdo#60340, Simon McVittie)\n\n - Make autogen.sh work on *BSD by not assuming GNU\n coreutils functionality fdo#35881, fdo#69787; Chengwei\n Yang)\n\n - dbus-monitor: be portable to NetBSD (fdo#69842, Chengwei\n Yang)\n\n - dbus-launch: stop using non-portable asprintf\n (fdo#37849, Simon)\n\n - Improve error reporting from the setuid activation\n helper (fdo#66728, Chengwei Yang)\n\n - Remove unavailable command-line options from\n 'dbus-daemon --help' (fdo#42441, Ralf Habacker)\n\n - Add support for looking up local TCPv4 clients'\n credentials on Windows XP via the undocumented\n AllocateAndGetTcpExTableFromStack function (fdo#66060,\n Ralf Habacker)\n\n - Fix insufficient dependency-tracking (fdo#68505, Simon\n McVittie)\n\n - Don't include wspiapi.h, fixing a compiler warning\n (fdo#68852, Simon McVittie)\n\n - add DBUS_ENABLE_ASSERT, DBUS_ENABLE_CHECKS for less\n confusing conditionals (fdo#66142, Chengwei Yang)\n\n - improve verbose-mode output (fdo#63047, Colin Walters)\n\n - consolidate Autotools and CMake build (fdo#64875, Ralf\n Habacker)\n\n - fix various unused variables, unusual build\n configurations etc. (fdo#65712, fdo#65990, fdo#66005,\n fdo#66257, fdo#69165, fdo#69410, fdo#70218; Chengwei\n Yang, Vasiliy Balyasnyy)\n\n - dbus-cve-2014-3533.patch: Add patch for CVE-2014-3533 to\n fix (fdo#63127) • CVE-2012-3524: Don't access\n environment variables (fdo#52202) (fdo#51521, Dave\n Reisner) • Remove an incorrect assertion from\n DBusTransport (fdo#51657, (fdo#51406, Simon McVittie)\n (fdo#51032, Simon McVittie) (fdo#34671, Simon McVittie)\n · Check for libpthread under CMake on Unix\n (fdo#47237, Simon McVittie) spec-compliance (fdo#48580,\n David Zeuthen) non-root when using OpenBSD install(1)\n (fdo#48217, Antoine Jacoutot) (fdo#45896, Simon\n McVittie) (fdo#39549, Simon McVittie) invent their own\n 'union of everything' type (fdo#11191, Simon find(1)\n (fdo#33840, Simon McVittie) (fdo#46273, Alban Crequy)\n again on Win32, but not on WinCE (fdo#46049, Simon\n (fdo#47321, Andoni Morales Alastruey) (fdo#39231,\n fdo#41012; Simon McVittie)\n\n - Add a regression test for fdo#38005 (fdo#39836, Simon\n McVittie) a service file entry for activation\n (fdo#39230, Simon McVittie) (fdo#24317, #34870; Will\n Thompson, David Zeuthen, Simon McVittie) and document it\n better (fdo#31818, Will Thompson) • Let the bus\n daemon implement more than one interface (fdo#33757,\n • Optimize _dbus_string_replace_len to reduce waste\n (fdo#21261, (fdo#35114, Simon McVittie) • Add\n dbus_type_is_valid as public API (fdo#20496, Simon\n McVittie) to unknown interfaces in the bus daemon\n (fdo#34527, Lennart Poettering) (fdo#32245; Javier\n Jardón, Simon McVittie) • Correctly give\n XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496, in\n embedded environments (fdo#19997, NB#219964; Simon\n McVittie) • Install the documentation, and an index\n for Devhelp (fdo#13495, booleans when sending them\n (fdo#16338, NB#223152; Simon McVittie) errors to\n dbus-shared.h (fdo#34527, Lennart Poettering) data\n (fdo#10887, Simon McVittie) .service files (fdo#19159,\n Sven Herzberg) (fdo#35750, Colin Walters) (fdo#32805,\n Mark Brand) which could result in a busy-loop\n (fdo#32992, NB#200248; possibly • Fix failure to\n detect abstract socket support (fdo#29895) (fdo#32262,\n NB#180486) • Improve some error code paths\n (fdo#29981, fdo#32264, fdo#32262, fdo#33128, fdo#33277,\n fdo#33126, NB#180486) • Avoid possible symlink\n attacks in /tmp during compilation (fdo#32854) •\n Tidy up dead code (fdo#25306, fdo#33128, fdo#34292,\n NB#180486) • Improve gcc malloc annotations\n (fdo#32710) • Documentation improvements\n (fdo#11190) • Avoid readdir_r, which is difficult\n to use correctly (fdo#8284, fdo#15922, LP#241619) •\n Cope with invalid files in session.d, system.d\n (fdo#19186, • Don't distribute generated files that\n embed our builddir (fdo#30285, fdo#34292) (fdo#33474,\n LP#381063) with lcov HTML reports and\n --enable-compiler-coverage (fdo#10887) · support\n credentials-passing (fdo#32542) · opt-in to\n thread safety (fdo#33464)", "edition": 18, "published": "2014-09-25T00:00:00", "title": "openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1228-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2012-3524", "CVE-2014-3639"], "modified": "2014-09-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dbus-1-x11-debugsource", "p-cpe:/a:novell:opensuse:dbus-1-debuginfo", "p-cpe:/a:novell:opensuse:libdbus-1-3", "p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo-32bit", "p-cpe:/a:novell:opensuse:dbus-1-devel-32bit", "p-cpe:/a:novell:opensuse:dbus-1-x11", "p-cpe:/a:novell:opensuse:dbus-1-debugsource", "p-cpe:/a:novell:opensuse:dbus-1-x11-debuginfo", "p-cpe:/a:novell:opensuse:dbus-1", "p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo", "p-cpe:/a:novell:opensuse:libdbus-1-3-32bit", "p-cpe:/a:novell:opensuse:dbus-1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:dbus-1-devel", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2014-558.NASL", "href": "https://www.tenable.com/plugins/nessus/77845", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-558.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77845);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2012-3524\", \"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\");\n\n script_name(english:\"openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1228-1)\");\n script_summary(english:\"Check for the openSUSE-2014-558 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"DBUS-1 was upgraded to upstream release 1.8.\n\nThis brings the version of dbus to the latest stable release from an\nunstable snapshot 1.7.4 that is know to have several regressions\n\n - Upstream changes since 1.7.4 :\n\n + Security fixes :\n\n - Do not accept an extra fd in the padding of a cmsg\n message, which could lead to a 4-byte heap buffer\n overrun. (CVE-2014-3635, fdo#83622; Simon McVittie)\n\n - Reduce default for maximum Unix file descriptors passed\n per message from 1024 to 16, preventing a uid with the\n default maximum number of connections from exhausting\n the system bus' file descriptors under Linux's default\n rlimit. Distributors or system administrators with a\n restrictive fd limit may wish to reduce these limits\n further. Additionally, on Linux this prevents a second\n denial of service in which the dbus-daemon can be made\n to exceed the maximum number of fds per sendmsg() and\n disconnect the process that would have received them.\n (CVE-2014-3636, fdo#82820; Alban Crequy)\n\n - Disconnect connections that still have a fd pending\n unmarshalling after a new configurable limit,\n pending_fd_timeout (defaulting to 150 seconds), removing\n the possibility of creating an abusive connection that\n cannot be disconnected by setting up a circular\n reference to a connection's file descriptor.\n (CVE-2014-3637, fdo#80559; Alban Crequy)\n\n - Reduce default for maximum pending replies per\n connection from 8192 to 128, mitigating an algorithmic\n complexity denial-of-service attack (CVE-2014-3638,\n fdo#81053; Alban Crequy)\n\n - Reduce default for authentication timeout on the system\n bus from 30 seconds to 5 seconds, avoiding denial of\n service by using up all unauthenticated connection\n slots; and when all unauthenticated connection slots are\n used up, make new connection attempts block instead of\n disconnecting them. (CVE-2014-3639, fdo#80919; Alban\n Crequy)\n\n - On Linux >0 2.6.37-rc4, if sendmsg() fails with\n ETOOMANYREFS, silently drop the message. This prevents\n an attack in which a malicious client can make\n dbus-daemon disconnect a system service, which is a\n local denial of service. (fdo#80163, CVE-2014-3532;\n Alban Crequy)\n\n - Track remaining Unix file descriptors correctly when\n more than one message in quick succession contains fds.\n This prevents another attack in which a malicious client\n can make dbus-daemon disconnect a system service.\n (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro\n Martínez Suárez, Simon McVittie, Alban\n Crequy)\n\n - Alban Crequy at Collabora Ltd. discovered and fixed a\n denial-of-service flaw in dbus-daemon, part of the\n reference implementation of D-Bus. Additionally, in\n highly unusual environments the same flaw could lead to\n a side channel between processes that should not be able\n to communicate. (CVE-2014-3477, fdo#78979)\n\n + Other fixes and enhancements :\n\n - Check for libsystemd from systemd >= 209, falling back\n to the older separate libraries if not found (Umut\n Tezduyar Lindskog, Simon McVittie)\n\n - On Linux, use prctl() to disable core dumps from a test\n executable that deliberately raises SIGSEGV to test\n dbus-daemon's handling of that condition (fdo#83772,\n Simon McVittie)\n\n - Fix compilation with --enable-stats (fdo#81043, Gentoo\n #507232; Alban Crequy)\n\n - Improve documentation for running tests on Windows\n (fdo#41252, Ralf Habacker)\n\n - When dbus-launch --exit-with-session starts a\n dbus-daemon but then cannot attach to a session, kill\n the dbus-daemon as intended (fdo#74698,\n Роман\n Донченко\n )\n\n - in the CMake build system, add some hints for Linux\n users cross-compiling Windows D-Bus binaries to be able\n to run tests under Wine (fdo#41252, Ralf Habacker)\n\n - add Documentation key to dbus.service (fdo#77447,\n Cameron Norman)\n\n - in 'dbus-uuidgen --ensure', try to copy systemd's\n /etc/machine-id to /var/lib/dbus/machine-id instead of\n generating an entirely new ID (fdo#77941, Simon\n McVittie)\n\n - if dbus-launch receives an X error very quickly, do not\n kill unrelated processes (fdo#74698,\n Роман\n Донченко\n )\n\n - on Windows, allow up to 8K connections to the\n dbus-daemon, instead of the previous 64 (fdo#71297;\n Cristian Onet, Ralf Habacker)\n\n - cope with \\r\\n newlines in regression tests, since on\n Windows, dbus-daemon.exe uses text mode (fdo#75863,\n Руслан\n Ижбулато\n в)\n\n - Enhance the CMake build system to check for GLib and\n compile/run a subset of the regression tests (fdo#41252,\n fdo#73495; Ralf Habacker)\n\n - don't rely on va_copy(), use DBUS_VA_COPY() wrapper\n (fdo#72840, Ralf Habacker)\n\n - fix compilation of systemd journal support on older\n systemd versions where sd-journal.h doesn't include\n syslog.h (fdo#73455, Ralf Habacker)\n\n - fix compilation on older MSVC versions by including\n stdlib.h (fdo#73455, Ralf Habacker)\n\n - Allow <allow_anonymous/> to appear in an included\n configuration file (fdo#73475, Matt Hoosier)\n\n - If the tests crash with an assertion failure, they no\n longer default to blocking for a debugger to be\n attached. Set DBUS_BLOCK_ON_ABORT in the environment if\n you want the old behaviour.\n\n - To improve debuggability, the dbus-daemon and\n dbus-daemon-eavesdrop tests can be run with an external\n dbus-daemon by setting DBUS_TEST_DAEMON_ADDRESS in the\n environment. Test-cases that require an\n unusually-configured dbus-daemon are skipped.\n\n - don't require messages with no INTERFACE to be\n dispatched (fdo#68597, Simon McVittie)\n\n - document 'tcp:bind=...' and 'nonce-tcp:bind=...'\n (fdo#72301, Chengwei Yang)\n\n - define 'listenable' and 'connectable' addresses, and\n discuss the difference (fdo#61303, Simon McVittie)\n\n - support printing Unix file descriptors in dbus-send,\n dbus-monitor (fdo#70592, Robert Ancell)\n\n - don't install systemd units if --disable-systemd is\n given (fdo#71818, Chengwei Yang)\n\n - don't leak memory on out-of-memory while listing\n activatable or active services (fdo#71526, Radoslaw\n Pajak)\n\n - fix undefined behaviour in a regression test (fdo#69924,\n DreamNik)\n\n - escape Unix socket addresses correctly (fdo#46013,\n Chengwei Yang)\n\n - on SELinux systems, don't assume that SECCLASS_DBUS,\n DBUS__ACQUIRE_SVC and DBUS__SEND_MSG are numerically\n equal to their values in the reference policy\n (fdo#88719, osmond sun)\n\n - define PROCESS_QUERY_LIMITED_INFORMATION if missing from\n MinGW < 4 headers (fdo#71366, Matt Fischer)\n\n - define WIN32_LEAN_AND_MEAN to avoid conflicts between\n winsock.h and winsock2.h (fdo#71405, Matt Fischer)\n\n - do not return failure from _dbus_read_nonce() with no\n error set, preventing a potential crash (fdo#72298,\n Chengwei Yang)\n\n - on BSD systems, avoid some O(1)-per-process memory and\n fd leaks in kqueue, preventing test failures (fdo#69332,\n fdo#72213; Chengwei Yang)\n\n - fix warning spam on Hurd by not trying to set\n SO_REUSEADDR on Unix sockets, which doesn't do anything\n anyway on at least Linux and FreeBSD (fdo#69492, Simon\n McVittie)\n\n - fix use of TCP sockets on FreeBSD and Hurd by tolerating\n EINVAL from sendmsg() with SCM_CREDS (retrying with\n plain send()), and looking for credentials more\n correctly (fdo#69492, Simon McVittie)\n\n - ensure that tests run with a temporary XDG_RUNTIME_DIR\n to avoid getting mixed up in XDG/systemd 'user sessions'\n (fdo#61301, Simon McVittie)\n\n - refresh cached policy rules for existing connections\n when bus configuration changes (fdo#39463, Chengwei\n Yang)\n\n - If systemd support is enabled, libsystemd-journal is now\n required.\n\n - When activating a non-systemd service under systemd,\n annotate its stdout/stderr with its bus name in the\n Journal. Known limitation: because the socket is opened\n before forking, the process will still be logged as if\n it had dbus-daemon's process ID and user ID. (fdo#68559,\n Chengwei Yang)\n\n - Document more configuration elements in dbus-daemon(1)\n (fdo#69125, Chengwei Yang)\n\n - Don't leak string arrays or fds if\n dbus_message_iter_get_args_valist() unpacks them and\n then encounters an error (fdo#21259, Chengwei Yang)\n\n - If compiled with libaudit, retain CAP_AUDIT_WRITE so we\n can write disallowed method calls to the audit log,\n fixing a regression in 1.7.6 (fdo#49062, Colin Walters)\n\n - path_namespace='/' in match rules incorrectly matched\n nothing; it now matches everything. (fdo#70799, Simon\n McVittie)\n\n - Directory change notification via dnotify on Linux is no\n longer supported; it hadn't compiled successfully since\n 2010 in any case. If you don't have inotify (Linux) or\n kqueue (*BSD), you will need to send SIGHUP to the\n dbus-daemon when its configuration changes. (fdo#33001,\n Chengwei Yang)\n\n - Compiling with --disable-userdb-cache is no longer\n supported; it didn't work since at least 2008, and would\n lead to an extremely slow dbus-daemon even it worked.\n (fdo#15589, fdo#17133, fdo#66947; Chengwei Yang)\n\n - The DBUS_DISABLE_ASSERTS CMake option didn't actually\n disable most assertions. It has been renamed to\n DBUS_DISABLE_ASSERT to be consistent with the Autotools\n build system. (fdo#66142, Chengwei Yang)\n\n - --with-valgrind=auto enables Valgrind instrumentation if\n and only if valgrind headers are available. The default\n is still\n\n --with-valgrind=no. (fdo#56925, Simon McVittie)\n\n - Platforms with no 64-bit integer type are no longer\n supported. (fdo#65429, Simon McVittie)\n\n - GNU make is now (documented to be) required. (fdo#48277,\n Simon McVittie)\n\n - Full test coverage no longer requires dbus-glib,\n although the tests do not exercise the shared library\n (only a static copy) if dbus-glib is missing.\n (fdo#68852, Simon McVittie)\n\n - D-Bus Specification 0.22\n\n - Document GetAdtAuditSessionData() and\n GetConnectionSELinuxSecurityContext() (fdo#54445, Simon)\n\n - Fix example .service file (fdo#66481, Chengwei Yang)\n\n - Don't claim D-Bus is 'low-latency' (lower than what?),\n just give factual statements about it supporting async\n use (fdo#65141, Justin Lee)\n\n - Document the contents of .service files, and the fact\n that system services' filenames are constrained\n (fdo#66608; Simon McVittie, Chengwei Yang)\n\n - Be thread-safe by default on all platforms, even if\n dbus_threads_init_default() has not been called. For\n compatibility with older libdbus, library users should\n continue to call dbus_threads_init_default(): it is\n harmless to do so. (fdo#54972, Simon McVittie)\n\n - Add GetConnectionCredentials() method (fdo#54445, Simon)\n\n - New API: dbus_setenv(), a simple wrapper around\n setenv(). Note that this is not thread-safe. (fdo#39196,\n Simon)\n\n - Add dbus-send --peer=ADDRESS (connect to a given\n peer-to-peer connection, like --address=ADDRESS in\n previous versions) and dbus-send --bus=ADDRESS (connect\n to a given bus, like dbus-monitor\n\n --address=ADDRESS). dbus-send --address still exists for\n backwards compatibility, but is no longer documented.\n (fdo#48816, Andrey Mazo)\n\n - 'dbus-daemon --nofork' is allowed on Windows again.\n (fdo#68852, Simon McVittie)\n\n - Avoid an infinite busy-loop if a signal interrupts\n waitpid() (fdo#68945, Simon McVittie)\n\n - Clean up memory for parent nodes when objects are\n unexported (fdo#60176, Thomas Fitzsimmons)\n\n - Make dbus_connection_set_route_peer_messages(x, FALSE)\n behave as documented. Previously, it assumed its second\n parameter was TRUE. (fdo#69165, Chengwei Yang)\n\n - Escape addresses containing non-ASCII characters\n correctly (fdo#53499, Chengwei Yang)\n\n - Document <servicedir> search order correctly (fdo#66994,\n Chengwei Yang)\n\n - Don't crash on 'dbus-send --session / x.y.z' which\n regressed in 1.7.4. (fdo#65923, Chengwei Yang)\n\n - If malloc() returns NULL in _dbus_string_init() or\n similar, don't free an invalid pointer if the string is\n later freed (fdo#65959, Chengwei Yang)\n\n - If malloc() returns NULL in dbus_set_error(), don't\n va_end() a va_list that was never va_start()ed\n (fdo#66300, Chengwei Yang)\n\n - fix build failure with --enable-stats (fdo#66004,\n Chengwei Yang)\n\n - fix a regression test on platforms with strict alignment\n (fdo#67279, Colin Walters)\n\n - Avoid calling function parameters 'interface' since\n certain Windows headers have a namespace-polluting macro\n of that name (fdo#66493, Ivan Romanov)\n\n - Assorted Doxygen fixes (fdo#65755, Chengwei Yang)\n\n - Various thread-safety improvements to static variables\n (fdo#68610, Simon McVittie)\n\n - Make 'make -j check' work (fdo#68852, Simon McVittie)\n\n - Fix a NULL pointer dereference on an unlikely error path\n (fdo#69327, Sviatoslav Chagaev)\n\n - Improve valgrind memory pool tracking (fdo#69326,\n Sviatoslav Chagaev)\n\n - Don't over-allocate memory in dbus-monitor (fdo#69329,\n Sviatoslav Chagaev)\n\n - dbus-monitor can monitor dbus-daemon < 1.5.6 again\n (fdo#66107, Chengwei Yang)\n\n - If accept4() fails with EINVAL, as it can on older Linux\n kernels with newer glibc, try accept() instead of going\n into a busy-loop. (fdo#69026, Chengwei Yang)\n\n - If socket() or socketpair() fails with EINVAL or\n EPROTOTYPE, for instance on Hurd or older Linux with a\n new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino\n Toscano, Chengwei Yang)\n\n - Fix a file descriptor leak on an error code path.\n (fdo#69182, Sviatoslav Chagaev)\n\n - dbus-run-session: clear some unwanted environment\n variables (fdo#39196, Simon)\n\n - dbus-run-session: compile on FreeBSD (fdo#66197,\n Chengwei Yang)\n\n - Don't fail the autolaunch test if there is no DISPLAY\n (fdo#40352, Simon)\n\n - Use dbus-launch from the builddir for testing, not the\n installed copy (fdo#37849, Chengwei Yang)\n\n - Fix compilation if writev() is unavailable (fdo#69409,\n Vasiliy Balyasnyy)\n\n - Remove broken support for LOCAL_CREDS credentials\n passing, and document where each credential-passing\n scheme is used (fdo#60340, Simon McVittie)\n\n - Make autogen.sh work on *BSD by not assuming GNU\n coreutils functionality fdo#35881, fdo#69787; Chengwei\n Yang)\n\n - dbus-monitor: be portable to NetBSD (fdo#69842, Chengwei\n Yang)\n\n - dbus-launch: stop using non-portable asprintf\n (fdo#37849, Simon)\n\n - Improve error reporting from the setuid activation\n helper (fdo#66728, Chengwei Yang)\n\n - Remove unavailable command-line options from\n 'dbus-daemon --help' (fdo#42441, Ralf Habacker)\n\n - Add support for looking up local TCPv4 clients'\n credentials on Windows XP via the undocumented\n AllocateAndGetTcpExTableFromStack function (fdo#66060,\n Ralf Habacker)\n\n - Fix insufficient dependency-tracking (fdo#68505, Simon\n McVittie)\n\n - Don't include wspiapi.h, fixing a compiler warning\n (fdo#68852, Simon McVittie)\n\n - add DBUS_ENABLE_ASSERT, DBUS_ENABLE_CHECKS for less\n confusing conditionals (fdo#66142, Chengwei Yang)\n\n - improve verbose-mode output (fdo#63047, Colin Walters)\n\n - consolidate Autotools and CMake build (fdo#64875, Ralf\n Habacker)\n\n - fix various unused variables, unusual build\n configurations etc. (fdo#65712, fdo#65990, fdo#66005,\n fdo#66257, fdo#69165, fdo#69410, fdo#70218; Chengwei\n Yang, Vasiliy Balyasnyy)\n\n - dbus-cve-2014-3533.patch: Add patch for CVE-2014-3533 to\n fix (fdo#63127) • CVE-2012-3524: Don't access\n environment variables (fdo#52202) (fdo#51521, Dave\n Reisner) • Remove an incorrect assertion from\n DBusTransport (fdo#51657, (fdo#51406, Simon McVittie)\n (fdo#51032, Simon McVittie) (fdo#34671, Simon McVittie)\n · Check for libpthread under CMake on Unix\n (fdo#47237, Simon McVittie) spec-compliance (fdo#48580,\n David Zeuthen) non-root when using OpenBSD install(1)\n (fdo#48217, Antoine Jacoutot) (fdo#45896, Simon\n McVittie) (fdo#39549, Simon McVittie) invent their own\n 'union of everything' type (fdo#11191, Simon find(1)\n (fdo#33840, Simon McVittie) (fdo#46273, Alban Crequy)\n again on Win32, but not on WinCE (fdo#46049, Simon\n (fdo#47321, Andoni Morales Alastruey) (fdo#39231,\n fdo#41012; Simon McVittie)\n\n - Add a regression test for fdo#38005 (fdo#39836, Simon\n McVittie) a service file entry for activation\n (fdo#39230, Simon McVittie) (fdo#24317, #34870; Will\n Thompson, David Zeuthen, Simon McVittie) and document it\n better (fdo#31818, Will Thompson) • Let the bus\n daemon implement more than one interface (fdo#33757,\n • Optimize _dbus_string_replace_len to reduce waste\n (fdo#21261, (fdo#35114, Simon McVittie) • Add\n dbus_type_is_valid as public API (fdo#20496, Simon\n McVittie) to unknown interfaces in the bus daemon\n (fdo#34527, Lennart Poettering) (fdo#32245; Javier\n Jardón, Simon McVittie) • Correctly give\n XDG_DATA_HOME priority over XDG_DATA_DIRS (fdo#34496, in\n embedded environments (fdo#19997, NB#219964; Simon\n McVittie) • Install the documentation, and an index\n for Devhelp (fdo#13495, booleans when sending them\n (fdo#16338, NB#223152; Simon McVittie) errors to\n dbus-shared.h (fdo#34527, Lennart Poettering) data\n (fdo#10887, Simon McVittie) .service files (fdo#19159,\n Sven Herzberg) (fdo#35750, Colin Walters) (fdo#32805,\n Mark Brand) which could result in a busy-loop\n (fdo#32992, NB#200248; possibly • Fix failure to\n detect abstract socket support (fdo#29895) (fdo#32262,\n NB#180486) • Improve some error code paths\n (fdo#29981, fdo#32264, fdo#32262, fdo#33128, fdo#33277,\n fdo#33126, NB#180486) • Avoid possible symlink\n attacks in /tmp during compilation (fdo#32854) •\n Tidy up dead code (fdo#25306, fdo#33128, fdo#34292,\n NB#180486) • Improve gcc malloc annotations\n (fdo#32710) • Documentation improvements\n (fdo#11190) • Avoid readdir_r, which is difficult\n to use correctly (fdo#8284, fdo#15922, LP#241619) •\n Cope with invalid files in session.d, system.d\n (fdo#19186, • Don't distribute generated files that\n embed our builddir (fdo#30285, fdo#34292) (fdo#33474,\n LP#381063) with lcov HTML reports and\n --enable-compiler-coverage (fdo#10887) · support\n credentials-passing (fdo#32542) · opt-in to\n thread safety (fdo#33464)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=896453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-09/msg00038.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dbus-1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-x11-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-1.8.8-4.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-debuginfo-1.8.8-4.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-debugsource-1.8.8-4.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-devel-1.8.8-4.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-x11-1.8.8-4.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-x11-debuginfo-1.8.8-4.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"dbus-1-x11-debugsource-1.8.8-4.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libdbus-1-3-1.8.8-4.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libdbus-1-3-debuginfo-1.8.8-4.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"dbus-1-debuginfo-32bit-1.8.8-4.20.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"dbus-1-devel-32bit-1.8.8-4.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libdbus-1-3-32bit-1.8.8-4.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libdbus-1-3-debuginfo-32bit-1.8.8-4.20.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dbus-1\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T16:34:21", "description": "The DBUS-1 service and libraries were updated to upstream release\n1.6.24 fixing security issues and bugs.\n\nUpstream changes since dbus 1.6.8\n\n + Security fixes\n\n - Do not accept an extra fd in the padding of a cmsg\n message, which could lead to a 4-byte heap buffer\n overrun. (CVE-2014-3635, fdo#83622; Simon McVittie)\n\n - Reduce default for maximum Unix file descriptors passed\n per message from 1024 to 16, preventing a uid with the\n default maximum number of connections from exhausting\n the system bus' file descriptors under Linux's default\n rlimit. Distributors or system administrators with a\n more restrictive fd limit may wish to reduce these\n limits further. Additionally, on Linux this prevents a\n second denial of service in which the dbus-daemon can be\n made to exceed the maximum number of fds per sendmsg()\n and disconnect the process that would have received\n them. (CVE-2014-3636, fdo#82820; Alban Crequy)\n\n - Disconnect connections that still have a fd pending\n unmarshalling after a new configurable limit,\n pending_fd_timeout (defaulting to 150 seconds), removing\n the possibility of creating an abusive connection that\n cannot be disconnected by setting up a circular\n reference to a connection's file descriptor.\n (CVE-2014-3637, fdo#80559; Alban Crequy)\n\n - Reduce default for maximum pending replies per\n connection from 8192 to 128, mitigating an algorithmic\n complexity denial-of-service attack (CVE-2014-3638,\n fdo#81053; Alban Crequy)\n\n - Reduce default for authentication timeout on the system\n bus from 30 seconds to 5 seconds, avoiding denial of\n service by using up all unauthenticated connection\n slots; and when all unauthenticated connection slots are\n used up, make new connection attempts block instead of\n disconnecting them. (CVE-2014-3639, fdo#80919; Alban\n Crequy)\n\n - On Linux >= 2.6.37-rc4, if sendmsg() fails with\n ETOOMANYREFS, silently drop the message. This prevents\n an attack in which a malicious client can make\n dbus-daemon disconnect a system service, which is a\n local denial of service. (fdo#80163, CVE-2014-3532;\n Alban Crequy)\n\n - Track remaining Unix file descriptors correctly when\n more than one message in quick succession contains fds.\n This prevents another attack which a malicious client\n can make dbus-daemon disconnect a system service.\n (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro\n Martínez Suárez, Simon McVittie, Alban\n Crequy)\n\n - Alban Crequy at Collabora Ltd. discovered and fixed a\n denial-of-service flaw in dbus-daemon, part of the\n reference implementation of D-Bus. Additionally, in\n highly unusual environments the same flaw could lead to\n a side channel between processes that should not be able\n to communicate. (CVE-2014-3477, fdo#78979)\n\n - CVE-2013-2168: Fix misuse of va_list that could be used\n as a denial of service for system services.\n Vulnerability reported by Alexandru Cornea. (Simon)\n\n + Other fixes\n\n - Don't leak memory on out-of-memory while listing\n activatable or active services (fdo#71526, Radoslaw\n Pajak)\n\n - fix undefined behaviour in a regression test (fdo#69924,\n DreamNik)\n\n - path_namespace='/' in match rules incorrectly matched\n nothing; it now matches everything. (fdo#70799, Simon\n McVittie)\n\n - Make dbus_connection_set_route_peer_messages(x, FALSE)\n behave as documented. Previously, it assumed its second\n parameter was TRUE. (fdo#69165, Chengwei Yang)\n\n - Fix a NULL pointer dereference on an unlikely error path\n (fdo#69327, Sviatoslav Chagaev)\n\n - If accept4() fails with EINVAL, as it can on older Linux\n kernels with newer glibc, try accept() instead of going\n into a busy-loop. (fdo#69026, Chengwei Yang)\n\n - If socket() or socketpair() fails with EINVAL or\n EPROTOTYPE, for instance on Hurd or older Linux with a\n new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino\n Toscano, Chengwei Yang)\n\n - Fix a file descriptor leak on an error code path.\n (fdo#69182, Sviatoslav Chagaev)\n\n - Fix compilation if writev() is unavailable (fdo#69409,\n Vasiliy Balyasnyy)\n\n - Avoid an infinite busy-loop if a signal interrupts\n waitpid() (fdo#68945, Simon McVittie)\n\n - Escape addresses containing non-ASCII characters\n correctly (fdo#53499, Chengwei Yang)\n\n - If malloc() returns NULL in _dbus_string_init() or\n similar, don't free an invalid pointer if the string is\n later freed (fdo#65959, Chengwei Yang)\n\n - If malloc() returns NULL in dbus_set_error(), don't\n va_end() a va_list that was never va_start()ed\n (fdo#66300, Chengwei Yang)\n\n - Fix a regression test on platforms with strict alignment\n (fdo#67279, Colin Walters)\n\n - Avoid calling function parameters 'interface' since\n certain Windows headers have a namespace-polluting macro\n of that name (fdo#66493, Ivan Romanov)\n\n - Make 'make -j check' work (fdo#68852, Simon McVittie)\n\n - In dbus-daemon, don't crash if a .service file starts\n with key=value (fdo#60853, Chengwei Yang)\n\n - Fix an assertion failure if we try to activate systemd\n services before systemd connects to the bus (fdo#50199,\n Chengwei Yang)\n\n - Avoid compiler warnings for ignoring the return from\n write() (Chengwei Yang)\n\n - Following Unicode Corrigendum #9, the noncharacters\n U+nFFFE, U+nFFFF, U+FDD0..U+FDEF are allowed in UTF-8\n strings again. (fdo#63072, Simon McVittie)\n\n - Diagnose incorrect use of dbus_connection_get_data()\n with negative slot (i.e. before allocating the slot)\n rather than returning junk (fdo#63127, Dan Williams)\n\n - In the activation helper, when compiled for tests, do\n not reset the system bus address, fixing the regression\n tests. (fdo#52202, Simon)\n\n - Fix building with Valgrind 3.8, at the cost of causing\n harmless warnings with Valgrind 3.6 on some compilers\n (fdo#55932, Arun Raghavan)\n\n - Don't leak temporary fds pointing to /dev/null\n (fdo#56927, Michel HERMIER)\n\n - Create session.d, system.d directories under CMake\n (fdo#41319, Ralf Habacker)\n\n - Include alloca.h for alloca() if available, fixing\n compilation on Solaris 10 (fdo#63071, Dagobert\n Michelsen)", "edition": 18, "published": "2014-09-26T00:00:00", "title": "openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1239-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3532", "CVE-2014-3533", "CVE-2013-2168", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3477", "CVE-2014-3639"], "modified": "2014-09-26T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dbus-1-x11-debugsource", "cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:dbus-1-debuginfo", "p-cpe:/a:novell:opensuse:libdbus-1-3", "p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo-32bit", "p-cpe:/a:novell:opensuse:dbus-1-devel-32bit", "p-cpe:/a:novell:opensuse:dbus-1-32bit", "p-cpe:/a:novell:opensuse:dbus-1-x11", "p-cpe:/a:novell:opensuse:dbus-1-debugsource", "p-cpe:/a:novell:opensuse:dbus-1-x11-debuginfo", "p-cpe:/a:novell:opensuse:dbus-1", "p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo", "p-cpe:/a:novell:opensuse:libdbus-1-3-32bit", "p-cpe:/a:novell:opensuse:dbus-1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:dbus-1-devel"], "id": "OPENSUSE-2014-557.NASL", "href": "https://www.tenable.com/plugins/nessus/77890", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-557.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77890);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2013-2168\", \"CVE-2014-3477\", \"CVE-2014-3532\", \"CVE-2014-3533\", \"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\");\n\n script_name(english:\"openSUSE Security Update : dbus-1 (openSUSE-SU-2014:1239-1)\");\n script_summary(english:\"Check for the openSUSE-2014-557 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The DBUS-1 service and libraries were updated to upstream release\n1.6.24 fixing security issues and bugs.\n\nUpstream changes since dbus 1.6.8\n\n + Security fixes\n\n - Do not accept an extra fd in the padding of a cmsg\n message, which could lead to a 4-byte heap buffer\n overrun. (CVE-2014-3635, fdo#83622; Simon McVittie)\n\n - Reduce default for maximum Unix file descriptors passed\n per message from 1024 to 16, preventing a uid with the\n default maximum number of connections from exhausting\n the system bus' file descriptors under Linux's default\n rlimit. Distributors or system administrators with a\n more restrictive fd limit may wish to reduce these\n limits further. Additionally, on Linux this prevents a\n second denial of service in which the dbus-daemon can be\n made to exceed the maximum number of fds per sendmsg()\n and disconnect the process that would have received\n them. (CVE-2014-3636, fdo#82820; Alban Crequy)\n\n - Disconnect connections that still have a fd pending\n unmarshalling after a new configurable limit,\n pending_fd_timeout (defaulting to 150 seconds), removing\n the possibility of creating an abusive connection that\n cannot be disconnected by setting up a circular\n reference to a connection's file descriptor.\n (CVE-2014-3637, fdo#80559; Alban Crequy)\n\n - Reduce default for maximum pending replies per\n connection from 8192 to 128, mitigating an algorithmic\n complexity denial-of-service attack (CVE-2014-3638,\n fdo#81053; Alban Crequy)\n\n - Reduce default for authentication timeout on the system\n bus from 30 seconds to 5 seconds, avoiding denial of\n service by using up all unauthenticated connection\n slots; and when all unauthenticated connection slots are\n used up, make new connection attempts block instead of\n disconnecting them. (CVE-2014-3639, fdo#80919; Alban\n Crequy)\n\n - On Linux >= 2.6.37-rc4, if sendmsg() fails with\n ETOOMANYREFS, silently drop the message. This prevents\n an attack in which a malicious client can make\n dbus-daemon disconnect a system service, which is a\n local denial of service. (fdo#80163, CVE-2014-3532;\n Alban Crequy)\n\n - Track remaining Unix file descriptors correctly when\n more than one message in quick succession contains fds.\n This prevents another attack which a malicious client\n can make dbus-daemon disconnect a system service.\n (fdo#79694, fdo#80469, CVE-2014-3533; Alejandro\n Martínez Suárez, Simon McVittie, Alban\n Crequy)\n\n - Alban Crequy at Collabora Ltd. discovered and fixed a\n denial-of-service flaw in dbus-daemon, part of the\n reference implementation of D-Bus. Additionally, in\n highly unusual environments the same flaw could lead to\n a side channel between processes that should not be able\n to communicate. (CVE-2014-3477, fdo#78979)\n\n - CVE-2013-2168: Fix misuse of va_list that could be used\n as a denial of service for system services.\n Vulnerability reported by Alexandru Cornea. (Simon)\n\n + Other fixes\n\n - Don't leak memory on out-of-memory while listing\n activatable or active services (fdo#71526, Radoslaw\n Pajak)\n\n - fix undefined behaviour in a regression test (fdo#69924,\n DreamNik)\n\n - path_namespace='/' in match rules incorrectly matched\n nothing; it now matches everything. (fdo#70799, Simon\n McVittie)\n\n - Make dbus_connection_set_route_peer_messages(x, FALSE)\n behave as documented. Previously, it assumed its second\n parameter was TRUE. (fdo#69165, Chengwei Yang)\n\n - Fix a NULL pointer dereference on an unlikely error path\n (fdo#69327, Sviatoslav Chagaev)\n\n - If accept4() fails with EINVAL, as it can on older Linux\n kernels with newer glibc, try accept() instead of going\n into a busy-loop. (fdo#69026, Chengwei Yang)\n\n - If socket() or socketpair() fails with EINVAL or\n EPROTOTYPE, for instance on Hurd or older Linux with a\n new glibc, try without SOCK_CLOEXEC. (fdo#69073; Pino\n Toscano, Chengwei Yang)\n\n - Fix a file descriptor leak on an error code path.\n (fdo#69182, Sviatoslav Chagaev)\n\n - Fix compilation if writev() is unavailable (fdo#69409,\n Vasiliy Balyasnyy)\n\n - Avoid an infinite busy-loop if a signal interrupts\n waitpid() (fdo#68945, Simon McVittie)\n\n - Escape addresses containing non-ASCII characters\n correctly (fdo#53499, Chengwei Yang)\n\n - If malloc() returns NULL in _dbus_string_init() or\n similar, don't free an invalid pointer if the string is\n later freed (fdo#65959, Chengwei Yang)\n\n - If malloc() returns NULL in dbus_set_error(), don't\n va_end() a va_list that was never va_start()ed\n (fdo#66300, Chengwei Yang)\n\n - Fix a regression test on platforms with strict alignment\n (fdo#67279, Colin Walters)\n\n - Avoid calling function parameters 'interface' since\n certain Windows headers have a namespace-polluting macro\n of that name (fdo#66493, Ivan Romanov)\n\n - Make 'make -j check' work (fdo#68852, Simon McVittie)\n\n - In dbus-daemon, don't crash if a .service file starts\n with key=value (fdo#60853, Chengwei Yang)\n\n - Fix an assertion failure if we try to activate systemd\n services before systemd connects to the bus (fdo#50199,\n Chengwei Yang)\n\n - Avoid compiler warnings for ignoring the return from\n write() (Chengwei Yang)\n\n - Following Unicode Corrigendum #9, the noncharacters\n U+nFFFE, U+nFFFF, U+FDD0..U+FDEF are allowed in UTF-8\n strings again. (fdo#63072, Simon McVittie)\n\n - Diagnose incorrect use of dbus_connection_get_data()\n with negative slot (i.e. before allocating the slot)\n rather than returning junk (fdo#63127, Dan Williams)\n\n - In the activation helper, when compiled for tests, do\n not reset the system bus address, fixing the regression\n tests. (fdo#52202, Simon)\n\n - Fix building with Valgrind 3.8, at the cost of causing\n harmless warnings with Valgrind 3.6 on some compilers\n (fdo#55932, Arun Raghavan)\n\n - Don't leak temporary fds pointing to /dev/null\n (fdo#56927, Michel HERMIER)\n\n - Create session.d, system.d directories under CMake\n (fdo#41319, Ralf Habacker)\n\n - Include alloca.h for alloca() if available, fixing\n compilation on Solaris 10 (fdo#63071, Dagobert\n Michelsen)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=896453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dbus-1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dbus-1-x11-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libdbus-1-3-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-debuginfo-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-debugsource-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-devel-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-x11-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-x11-debuginfo-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"dbus-1-x11-debugsource-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libdbus-1-3-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libdbus-1-3-debuginfo-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"dbus-1-32bit-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"dbus-1-debuginfo-32bit-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"dbus-1-devel-32bit-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libdbus-1-3-32bit-1.6.24-2.26.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libdbus-1-3-debuginfo-32bit-1.6.24-2.26.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dbus-1\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:21", "description": "Update to 1.6.28\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2014-12-15T00:00:00", "title": "Fedora 20 : dbus-1.6.28-1.fc20 (2014-16243)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-7824", "CVE-2014-3639"], "modified": "2014-12-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dbus", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-16243.NASL", "href": "https://www.tenable.com/plugins/nessus/79924", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-16243.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79924);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_xref(name:\"FEDORA\", value:\"2014-16243\");\n\n script_name(english:\"Fedora 20 : dbus-1.6.28-1.fc20 (2014-16243)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.6.28\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140525\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140527\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140529\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140532\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1173555\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146098.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0243c6c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected dbus package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"dbus-1.6.28-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dbus\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:21", "description": "Update to 1.8.12 (#1168438)\n\n - Fixes CVE-2014-3635 (fd.o#83622)\n\n - Fixes CVE-2014-3636 (fd.o#82820)\n\n - Fixes CVE-2014-3637 (fd.o#80559)\n\n - Fixes CVE-2014-3638 (fd.o#81053)\n\n - Fixes CVE-2014-3639 (fd.o#80919)\n\n - Fixes CVE-2014-7824 (fd.o#85105)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2014-12-17T00:00:00", "title": "Fedora 21 : dbus-1.8.12-1.fc21 (2014-16147)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-7824", "CVE-2014-3639"], "modified": "2014-12-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dbus", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2014-16147.NASL", "href": "https://www.tenable.com/plugins/nessus/80060", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-16147.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80060);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_xref(name:\"FEDORA\", value:\"2014-16147\");\n\n script_name(english:\"Fedora 21 : dbus-1.8.12-1.fc21 (2014-16147)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.8.12 (#1168438)\n\n - Fixes CVE-2014-3635 (fd.o#83622)\n\n - Fixes CVE-2014-3636 (fd.o#82820)\n\n - Fixes CVE-2014-3637 (fd.o#80559)\n\n - Fixes CVE-2014-3638 (fd.o#81053)\n\n - Fixes CVE-2014-3639 (fd.o#80919)\n\n - Fixes CVE-2014-7824 (fd.o#85105)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140525\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140527\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140529\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1140532\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1173555\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146313.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f0e50596\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected dbus package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"dbus-1.8.12-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dbus\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:54:47", "description": "Updated dbus packages fixes the following security issues :\n\nAlban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon :\n\nOn 64-bit platforms, file descriptor passing could be abused by local\nusers to cause heap corruption in dbus-daemon, leading to a crash, or\npotentially to arbitrary code execution (CVE-2014-3635).\n\nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits (CVE-2014-3636).\n\nMalicious local users could create D-Bus connections to dbus-daemon\nwhich could not be terminated by killing the participating processes,\nresulting in a denial-of-service vulnerability (CVE-2014-3637).\n\ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon (CVE-2014-3638).\n\ndbus-daemon did not properly reject malicious connections from local\nusers, resulting in a denial-of-service vulnerability (CVE-2014-3639).\n\nThe patch issued by the D-Bus maintainers for CVE-2014-3636 was based\non incorrect reasoning, and does not fully prevent the attack\ndescribed as CVE-2014-3636 part A, which is repeated below. Preventing\nthat attack requires raising the system dbus-daemon's RLIMIT_NOFILE\n(ulimit -n) to a higher value.\n\nBy queuing up the maximum allowed number of fds, a malicious sender\ncould reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n,\ntypically 1024 on Linux). This would act as a denial of service in two\nways :\n\n - new clients would be unable to connect to the\n dbus-daemon\n\n - when receiving a subsequent message from a\n non-malicious client that contained a fd, dbus-daemon\n would receive the MSG_CTRUNC flag, indicating that the\n list of fds was truncated; kernel fd-passing APIs do\n not provide any way to recover from that, so\n dbus-daemon responds to MSG_CTRUNC by disconnecting\n the sender, causing denial of service to that sender.\n\nThis update also resolves the CVE-2014-7824 security vulnerability.", "edition": 25, "published": "2014-11-19T00:00:00", "title": "Mandriva Linux Security Advisory : dbus (MDVSA-2014:214)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-7824", "CVE-2014-3639"], "modified": "2014-11-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:lib64dbus-1-devel", "p-cpe:/a:mandriva:linux:dbus-doc", "cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:lib64dbus-1_3", "p-cpe:/a:mandriva:linux:dbus-x11", "p-cpe:/a:mandriva:linux:dbus"], "id": "MANDRIVA_MDVSA-2014-214.NASL", "href": "https://www.tenable.com/plugins/nessus/79322", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:214. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79322);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-3635\", \"CVE-2014-3636\", \"CVE-2014-3637\", \"CVE-2014-3638\", \"CVE-2014-3639\", \"CVE-2014-7824\");\n script_bugtraq_id(69829, 69831, 69832, 69833, 69834, 71012);\n script_xref(name:\"MDVSA\", value:\"2014:214\");\n\n script_name(english:\"Mandriva Linux Security Advisory : dbus (MDVSA-2014:214)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated dbus packages fixes the following security issues :\n\nAlban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon :\n\nOn 64-bit platforms, file descriptor passing could be abused by local\nusers to cause heap corruption in dbus-daemon, leading to a crash, or\npotentially to arbitrary code execution (CVE-2014-3635).\n\nA denial-of-service vulnerability in dbus-daemon allowed local\nattackers to prevent new connections to dbus-daemon, or disconnect\nexisting clients, by exhausting descriptor limits (CVE-2014-3636).\n\nMalicious local users could create D-Bus connections to dbus-daemon\nwhich could not be terminated by killing the participating processes,\nresulting in a denial-of-service vulnerability (CVE-2014-3637).\n\ndbus-daemon suffered from a denial-of-service vulnerability in the\ncode which tracks which messages expect a reply, allowing local\nattackers to reduce the performance of dbus-daemon (CVE-2014-3638).\n\ndbus-daemon did not properly reject malicious connections from local\nusers, resulting in a denial-of-service vulnerability (CVE-2014-3639).\n\nThe patch issued by the D-Bus maintainers for CVE-2014-3636 was based\non incorrect reasoning, and does not fully prevent the attack\ndescribed as CVE-2014-3636 part A, which is repeated below. Preventing\nthat attack requires raising the system dbus-daemon's RLIMIT_NOFILE\n(ulimit -n) to a higher value.\n\nBy queuing up the maximum allowed number of fds, a malicious sender\ncould reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n,\ntypically 1024 on Linux). This would act as a denial of service in two\nways :\n\n - new clients would be unable to connect to the\n dbus-daemon\n\n - when receiving a subsequent message from a\n non-malicious client that contained a fd, dbus-daemon\n would receive the MSG_CTRUNC flag, indicating that the\n list of fds was truncated; kernel fd-passing APIs do\n not provide any way to recover from that, so\n dbus-daemon responds to MSG_CTRUNC by disconnecting\n the sender, causing denial of service to that sender.\n\nThis update also resolves the CVE-2014-7824 security vulnerability.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0395.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0457.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dbus-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:dbus-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64dbus-1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64dbus-1_3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"dbus-1.4.16-7.5.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"dbus-doc-1.4.16-7.5.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"dbus-x11-1.4.16-7.5.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64dbus-1-devel-1.4.16-7.5.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64dbus-1_3-1.4.16-7.5.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-7824", "CVE-2014-3639"], "description": "Memory corruptions, DoS.", "edition": 1, "modified": "2014-11-30T00:00:00", "published": "2014-11-30T00:00:00", "id": "SECURITYVULNS:VULN:13974", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13974", "title": "dbus multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:53", "bulletinFamily": "software", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3026-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nSeptember 16, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : dbus\r\nCVE ID : CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 \r\n CVE-2014-3639\r\n\r\nAlban Crequy and Simon McVittie discovered several vulnerabilities in\r\nthe D-Bus message daemon.\r\n\r\nCVE-2014-3635\r\n\r\n On 64-bit platforms, file descriptor passing could be abused by\r\n local users to cause heap corruption in the dbus-daemon crash,\r\n leading to a crash, or potentially to arbitrary code execution.\r\n\r\nCVE-2014-3636\r\n\r\n A denial-of-service vulnerability in dbus-daemon allowed local\r\n attackers to prevent new connections to dbus-daemon, or disconnect\r\n existing clients, by exhausting descriptor limits.\r\n\r\nCVE-2014-3637\r\n\r\n Malicious local users could create D-Bus connections to\r\n dbus-daemon which could not be terminated by killing the\r\n participating processes, resulting in a denial-of-service\r\n vulnerability.\r\n\r\nCVE-2014-3638\r\n\r\n dbus-daemon suffered from a denial-of-service vulnerability in the\r\n code which tracks which messages expect a reply, allowing local\r\n attackers to reduce the performance of dbus-daemon.\r\n\r\nCVE-2014-3639\r\n\r\n dbus-daemon did not properly reject malicious connections from\r\n local users, resulting in a denial-of-service vulnerability.\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 1.6.8-1+deb7u4.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.8.8-1.\r\n\r\nWe recommend that you upgrade your dbus packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJUGIrzAAoJEL97/wQC1SS+bgAH/2v7suJ3q6QQ9r8dpK3wlYtC\r\nn6DrrqHvzECB0oEro51cvkHY9cl8HSYlKZoRXdbluEaHGCu+8f/IZ0aQIC2hkz1e\r\nCqh62l4Gzo+CZRmnDk4oTi2PcqnEXkIJgOo7pEDT4C9+4c5sF+vbLkAJ+x4VoRbf\r\neneYNgwIPGh8pyvw9VrMzTJAE81j5fZC5g6jxFfQCCOfo6IZlxKhn+d5XCElDz1f\r\nyO4oeczxOkH0oHUo0Jo6Kd2RllbTbO9F+f2PVTOPRAvr1yqEj1zRtll0kA2vXZ0p\r\n13pcZd3F/AWYDF8O5slOPZulx8GmVDETir2Jd8bPCduv7C4DPN9x8MA2IoYV668=\r\n=Cvxc\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-09-21T00:00:00", "published": "2014-09-21T00:00:00", "id": "SECURITYVULNS:DOC:31096", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31096", "title": "[SECURITY] [DSA 3026-1] dbus security update", "type": "securityvulns", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-3532", "CVE-2014-3533"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:148\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : dbus\r\n Date : July 31, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated dbus packages fix security vulnerabilities:\r\n \r\n A flaw was reported in D-Bus's file descriptor passing feature. A\r\n local attacker could use this flaw to cause a service or application\r\n to disconnect from the bus, typically resulting in that service or\r\n application exiting (CVE-2014-3532).\r\n \r\n A flaw was reported in D-Bus's file descriptor passing feature. A local\r\n attacker could use this flaw to cause an invalid file descriptor to be\r\n forwarded to a service or application, causing it to disconnect from\r\n the bus, typically resulting in that service or application exiting\r\n (CVE-2014-3533).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533\r\n http://advisories.mageia.org/MGASA-2014-0294.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 3ec7d0230c9bba5579b6970e80e30b1d mbs1/x86_64/dbus-1.4.16-6.4.mbs1.x86_64.rpm\r\n 0086d90124d84e60a09c70fa8e70baf3 mbs1/x86_64/dbus-doc-1.4.16-6.4.mbs1.x86_64.rpm\r\n d126249502ee1a3819af4e5ae9600115 mbs1/x86_64/dbus-x11-1.4.16-6.4.mbs1.x86_64.rpm\r\n 17d4362c3888962ac3e402eacc5aac15 mbs1/x86_64/lib64dbus-1_3-1.4.16-6.4.mbs1.x86_64.rpm\r\n 8e46f1e7c2c5d4fb2ffc4fda7bfba55b mbs1/x86_64/lib64dbus-1-devel-1.4.16-6.4.mbs1.x86_64.rpm \r\n df3ab9438c830215ad2b3597921d0333 mbs1/SRPMS/dbus-1.4.16-6.4.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFT2g5hmqjQ0CJFipgRAqnvAJ9dYBe41rRJS6wgul/J+MM9FucTcQCgwqnZ\r\nZAJiQeK2X5Igq8mHwz7YuwQ=\r\n=TEte\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-08-04T00:00:00", "published": "2014-08-04T00:00:00", "id": "SECURITYVULNS:DOC:30965", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30965", "title": "[ MDVSA-2014:148 ] dbus", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-3532", "CVE-2014-3533"], "description": "Few DoS conditions.", "edition": 1, "modified": "2014-08-04T00:00:00", "published": "2014-08-04T00:00:00", "id": "SECURITYVULNS:VULN:13895", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13895", "title": "dbus security vulnerabilities", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-7824"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2425-1\r\nNovember 27, 2014\r\n\r\ndbus vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 14.10\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nDBus could be made to stop responding under certain conditions.\r\n\r\nSoftware Description:\r\n- dbus: simple interprocess messaging system\r\n\r\nDetails:\r\n\r\nIt was discovered that DBus incorrectly handled a large number of file\r\ndescriptor messages. A local attacker could use this issue to cause DBus to\r\nstop responding, resulting in a denial of service. (CVE-2014-7824)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 14.10:\r\n dbus 1.8.8-1ubuntu2.1\r\n libdbus-1-3 1.8.8-1ubuntu2.1\r\n\r\nUbuntu 14.04 LTS:\r\n dbus 1.6.18-0ubuntu4.3\r\n libdbus-1-3 1.6.18-0ubuntu4.3\r\n\r\nUbuntu 12.04 LTS:\r\n dbus 1.4.18-1ubuntu1.7\r\n libdbus-1-3 1.4.18-1ubuntu1.7\r\n\r\nAfter a standard system update you need to reboot your computer to make all\r\nthe necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2425-1\r\n CVE-2014-7824\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/dbus/1.8.8-1ubuntu2.1\r\n https://launchpad.net/ubuntu/+source/dbus/1.6.18-0ubuntu4.3\r\n https://launchpad.net/ubuntu/+source/dbus/1.4.18-1ubuntu1.7\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2014-11-30T00:00:00", "published": "2014-11-30T00:00:00", "id": "SECURITYVULNS:DOC:31403", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31403", "title": "[USN-2425-1] DBus vulnerability", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:57", "bulletinFamily": "software", "cvelist": ["CVE-2013-2635", "CVE-2014-1536", "CVE-2013-1797", "CVE-2014-4208", "CVE-2014-3508", "CVE-2014-4262", "CVE-2014-3566", "CVE-2014-2397", "CVE-2014-2490", "CVE-2013-1767", "CVE-2015-0512", "CVE-2012-6548", "CVE-2014-4263", "CVE-2014-0457", "CVE-2014-0455", "CVE-2014-0446", "CVE-2013-0268", "CVE-2013-0160", "CVE-2014-3613", "CVE-2014-4218", "CVE-2013-1848", "CVE-2014-1538", "CVE-2014-4221", "CVE-2014-2420", "CVE-2013-2005", "CVE-2014-3638", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-3507", "CVE-2013-1860", "CVE-2014-4268", "CVE-2014-1537", "CVE-2014-2413", "CVE-2014-0076", "CVE-2014-4265", "CVE-2014-3513", "CVE-2013-1792", "CVE-2013-4242", "CVE-2014-0454", "CVE-2014-0224", "CVE-2014-0453", "CVE-2014-0432", "CVE-2014-4266", "CVE-2012-2137", "CVE-2014-0461", "CVE-2014-3511", "CVE-2011-3389", "CVE-2014-0459", "CVE-2014-0456", "CVE-2014-4244", "CVE-2013-1772", "CVE-2014-1534", "CVE-2013-0349", "CVE-2014-0429", "CVE-2013-1774", "CVE-2014-0463", "CVE-2014-3470", "CVE-2014-3506", "CVE-2014-1545", "CVE-2013-0311", "CVE-2014-4209", "CVE-2014-0464", "CVE-2014-0139", "CVE-2014-0092", "CVE-2014-2403", "CVE-2011-0020", "CVE-2010-5107", "CVE-2014-0449", "CVE-2014-2412", "CVE-2014-2428", "CVE-2010-5298", "CVE-2013-0231", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-0448", "CVE-2014-0195", "CVE-2014-0198", "CVE-2014-4216", "CVE-2014-2401", "CVE-2014-3567", "CVE-2014-0015", "CVE-2014-3620", "CVE-2013-0913", "CVE-2014-4264", "CVE-2014-2422", "CVE-2014-4330", "CVE-2014-4220", "CVE-2012-6085", "CVE-2014-3512", "CVE-2013-2002", "CVE-2013-1901", "CVE-2014-3510", "CVE-2012-6549", "CVE-2014-2423", "CVE-2014-1541", "CVE-2014-2410", "CVE-2013-1902", "CVE-2013-0914", "CVE-2014-2483", "CVE-2013-2634", "CVE-2012-5885", "CVE-2014-3568", "CVE-2014-1533", "CVE-2014-4227", "CVE-2014-2409", "CVE-2014-4247", "CVE-2013-0216", "CVE-2014-4252", "CVE-2013-1796", "CVE-2014-0138", "CVE-2014-4219", "CVE-2013-1798", "CVE-2013-1900", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-3509", "CVE-2014-5139", "CVE-2014-2414", "CVE-2014-4223", "CVE-2011-0064", "CVE-2013-1899", "CVE-2014-3639", "CVE-2014-0221", "CVE-2014-2402"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities\r\n\r\nEMC Identifier: ESA-2015-002\r\n \t\r\nCVE Identifier: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902, CVE-2012-5885, CVE-2011-3389, CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, CVE-2013-1797, CVE-2013-0231, CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, CVE-2013-2634, CVE-2013-0268, CVE-2013-0913,CVE-2013-1772, CVE-2013-0216, CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798, CVE-2013-4242, CVE-2014-0138, CVE-2014-0139, CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139, CVE-2012-6085, CVE-2014-2403, CVE-2014-0446, CVE-2014-0457, CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, CVE-2014-2397, CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, CVE-2014-2420, CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, CVE-2014-0461, CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, CVE-2014-0456, CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, CVE-2014-0463, CVE-2014-2410 , CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, CVE-2014-2402, CVE-2014-0452, CVE-2010-5107, CVE-2014-1545, CVE-2014-1541, CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2013-2005, CVE-2013-2002, CVE-2014-0092, CVE-2014-0015, CVE-2014-4220, CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, CVE-2014-2483, CVE-2014-4263, CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, CVE-2014-4223, CVE-2014-4247, CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, CVE-2014-4227, CVE-2014-4208, CVE-2014-4209, CVE-2014-4265, CVE-2014-4244,\r\nCVE-2014-4216, CVE-2011-0020, CVE-2011-0064, CVE-2014-3638, CVE-2014-3639, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566, CVE-2014-4330, CVE-2014-3613, CVE-2014-3620, CVE-2015-0512\r\n\r\nSeverity Rating: View details below for CVSSv2 scores\r\n\r\nAffected products: \r\nUnisphere Central versions prior to 4.0\r\n\r\nSummary: \r\nUnisphere Central requires an update to address various security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.\r\n\r\nDetails: \r\nUnisphere Central requires an update to address various security vulnerabilities:\r\n\r\n1.\tUnvalidated Redirect Vulnerability (CVE-2015-0512)\r\n\r\nA potential vulnerability in Unisphere Central may allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the unvalidated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter.\r\n\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)\r\n\r\n2.\tMultiple Embedded Component Vulnerabilities\r\n\r\nThe following vulnerabilities affecting multiple embedded components were addressed:\r\n\r\n\u2022\tPostgreSQL (CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902)\r\n\u2022\tApache Tomcat HTTP Digest Access Bypass (CVE-2012-5885)\r\n\u2022\tSSL3.0/TLS1.0 Weak CBC Mode Vulnerability (CVE-2011-3389)\r\n\u2022\tSUSE Kernel Updates (CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, CVE-2013-1797, CVE-2013-0231,CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, CVE-2013-2634, CVE-2013-0268, CVE-2013-0913, CVE-2013-1772, CVE-2013-0216, CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798)\r\n\u2022\tLibgcrypt (CVE-2013-4242)\r\n\u2022\tcURL/libcURL Multiple Vulnerabilities (CVE-2014-0138, CVE-2014-0139, CVE-2014-0015, CVE-2014-3613, CVE-2014-3620)\r\n\u2022\tOpenSSL Multiple Vulnerabilities (CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566)\r\n\u2022\tGNU Privacy Guard (GPG2) Update (CVE-2012-6085)\r\n\u2022\tJava Runtime Environment (CVE-2014-2403, CVE-2014-0446, CVE-2014-0457, CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, CVE-2014-2397, CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, CVE-2014-2420, CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, CVE-2014-0461, CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, CVE-2014-0456, CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, CVE-2014-0463, CVE-2014-2410, CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, CVE-2014-2402, CVE-2014-0452, CVE-2014-4220, CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, CVE-2014-2483, CVE-2014-4263, CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, CVE-2014-4223, CVE-2014-4247, CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, CVE-2014-4227, CVE-2014-4208, CVE-2014-4209, CVE-2014-4265, CVE-2014-4244, CVE-2014-4216)\r\n\u2022\tOpenSSH Denial of Service (CVE-2010-5107)\r\n\u2022\tNetwork Security Services (NSS) Update (CVE-2014-1545, CVE-2014-1541, CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538)\r\n\u2022\t Xorg-X11 Update (CVE-2013-2005, CVE-2013-2002)\r\n\u2022\tGnuTLS SSL Verification Vulnerability (CVE-2014-0092)\r\n\u2022\tPango Security Update (CVE-2011-0020, CVE-2011-0064)\r\n\u2022\tD-Bus Denial of Service (CVE-2014-3638,CVE-2014-3639)\r\n\u2022\tPerl Denial of Service (CVE-2014-4330)\r\nCVSSv2 Base Score: Refer to NVD (http://nvd.nist.gov) for individual scores for each CVE listed above\r\n\r\nFor more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the NVD database\u2019s search utility at http://web.nvd.nist.gov/view/vuln/search\r\n\r\nResolution: \r\nThe following Unisphere Central release contains resolutions to the above issues:\r\n\u2022\tUnisphere Central version 4.0.\r\n\r\nEMC strongly recommends all customers upgrade at the earliest opportunity. Contact EMC Unisphere Central customer support to download the required upgrades. \r\n\r\nLink to remedies:\r\nRegistered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/products/28224_Unisphere-Central\r\n\r\n\r\nIf you have any questions, please contact EMC Support.\r\n\r\nRead and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. \r\n\r\n\r\nFor an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\nEMC Product Security Response Center\r\nsecurity_alert@emc.com\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlTKSaIACgkQtjd2rKp+ALzINgCg01qlCrN0carogi8MwnbjGNrP\r\n6oIAnRiS6bIIqnGmGN0c+ayX74Qad4vY\r\n=5UIE\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2015-02-02T00:00:00", "published": "2015-02-02T00:00:00", "id": "SECURITYVULNS:DOC:31682", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31682", "title": "ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:25", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "\nSimon McVittie reports:\n\nDo not accept an extra fd in the padding of a cmsg message,\n\t which could lead to a 4-byte heap buffer overrun\n\t (CVE-2014-3635).\nReduce default for maximum Unix file descriptors passed per\n\t message from 1024 to 16, preventing a uid with the default\n\t maximum number of connections from exhausting the system\n\t bus' file descriptors under Linux's default rlimit\n\t (CVE-2014-3636).\nDisconnect connections that still have a fd pending\n\t unmarshalling after a new configurable limit,\n\t pending_fd_timeout (defaulting to 150 seconds), removing\n\t the possibility of creating an abusive connection that\n\t cannot be disconnected by setting up a circular reference\n\t to a connection's file descriptor (CVE-2014-3637).\nReduce default for maximum pending replies per connection\n\t from 8192 to 128, mitigating an algorithmic complexity\n\t denial-of-service attack (CVE-2014-3638).\nReduce default for authentication timeout on the system\n\t bus from 30 seconds to 5 seconds, avoiding denial of service\n\t by using up all unauthenticated connection slots; and when\n\t all unauthenticated connection slots are used up, make new\n\t connection attempts block instead of disconnecting them\n\t (CVE-2014-3639).\n\n", "edition": 4, "modified": "2014-09-16T00:00:00", "published": "2014-09-16T00:00:00", "id": "38242D51-3E58-11E4-AC2F-BCAEC565249C", "href": "https://vuxml.freebsd.org/freebsd/38242d51-3e58-11e4-ac2f-bcaec565249c.html", "title": "dbus -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:23", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7824"], "description": "\nSimon McVittie reports:\n\nThe patch issued by the D-Bus maintainers for CVE-2014-3636\n\t was based on incorrect reasoning, and does not fully prevent\n\t the attack described as \"CVE-2014-3636 part A\", which is\n\t repeated below. Preventing that attack requires raising the\n\t system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher\n\t value. CVE-2014-7824 has been allocated for this\n\t vulnerability.\n\n", "edition": 4, "modified": "2014-11-10T00:00:00", "published": "2014-11-10T00:00:00", "id": "C1930F45-6982-11E4-80E1-BCAEC565249C", "href": "https://vuxml.freebsd.org/freebsd/c1930f45-6982-11e4-80e1-bcaec565249c.html", "title": "dbus -- incomplete fix for CVE-2014-3636 part A", "type": "freebsd", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3532", "CVE-2014-3533"], "description": "\nSimon McVittie reports:\n\nAlban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's\n\t support for file descriptor passing. A malicious process could\n\t force system services or user applications to be disconnected\n\t from the D-Bus system bus by sending them a message containing\n\t a file descriptor, then causing that file descriptor to exceed\n\t the kernel's maximum recursion depth (itself introduced to fix\n\t a DoS) before dbus-daemon forwards the message to the victim\n\t process. Most services and applications exit when disconnected\n\t from the system bus, leading to a denial of service.\nAdditionally, Alban discovered that bug fd.o#79694, a bug\n\t previously reported by Alejandro Mart\u00c3\u00adnez Su\u00c3\u00a1rez which was n\n\t believed to be security flaw, could be used for a similar denial\n\t of service, by causing dbus-daemon to attempt to forward invalid\n\t file descriptors to a victim process when file descriptors become\n\t associated with the wrong message.\n\n", "edition": 4, "modified": "2014-07-02T00:00:00", "published": "2014-07-02T00:00:00", "id": "E6A7636A-02D0-11E4-88B6-080027671656", "href": "https://vuxml.freebsd.org/freebsd/e6a7636a-02d0-11e4-88b6-080027671656.html", "title": "dbus -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:33:27", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3477"], "description": "\nSimon MvVittie reports:\n\nAlban Crequy at Collabora Ltd. discovered and fixed a\n\t denial-of-service flaw in dbus-daemon, part of the reference\n\t implementation of D-Bus. Additionally, in highly unusual\n\t environments the same flaw could lead to a side channel between\n\t processes that should not be able to communicate.\n\n", "edition": 4, "modified": "2014-06-10T00:00:00", "published": "2014-06-10T00:00:00", "id": "52BBC7E8-F13C-11E3-BC09-BCAEC565249C", "href": "https://vuxml.freebsd.org/freebsd/52bbc7e8-f13c-11e3-bc09-bcaec565249c.html", "title": "dbus -- local DoS", "type": "freebsd", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:02", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3026-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nSeptember 16, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dbus\nCVE ID : CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 \n CVE-2014-3639\n\nAlban Crequy and Simon McVittie discovered several vulnerabilities in\nthe D-Bus message daemon.\n\nCVE-2014-3635\n\n On 64-bit platforms, file descriptor passing could be abused by\n local users to cause heap corruption in the dbus-daemon crash,\n leading to a crash, or potentially to arbitrary code execution.\n\nCVE-2014-3636\n\n A denial-of-service vulnerability in dbus-daemon allowed local\n attackers to prevent new connections to dbus-daemon, or disconnect\n existing clients, by exhausting descriptor limits.\n\nCVE-2014-3637\n\n Malicious local users could create D-Bus connections to\n dbus-daemon which could not be terminated by killing the\n participating processes, resulting in a denial-of-service\n vulnerability.\n\nCVE-2014-3638\n\n dbus-daemon suffered from a denial-of-service vulnerability in the\n code which tracks which messages expect a reply, allowing local\n attackers to reduce the performance of dbus-daemon.\n\nCVE-2014-3639\n\n dbus-daemon did not properly reject malicious connections from\n local users, resulting in a denial-of-service vulnerability.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.6.8-1+deb7u4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.8.8-1.\n\nWe recommend that you upgrade your dbus packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2014-09-16T18:34:28", "published": "2014-09-16T18:34:28", "id": "DEBIAN:DSA-3026-1:0453E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00213.html", "title": "[SECURITY] [DSA 3026-1] dbus security update", "type": "debian", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:41", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3477"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2971-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nJuly 02, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dbus\nCVE ID : CVE-2014-3477 CVE-2014-3532 CVE-2014-3533\n\nSeveral vulnerabilities have been discovered in dbus, an asynchronous\ninter-process communication system. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2014-3477\n\n Alban Crequy at Collabora Ltd. discovered that dbus-daemon sends an\n AccessDenied error to the service instead of a client when the\n client is prohibited from accessing the service. A local attacker\n could use this flaw to cause a bus-activated service that is not\n currently running to attempt to start, and fail, denying other users\n access to this service.\n\nCVE-2014-3532\n\n Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's\n support for file descriptor passing. A malicious process could force\n system services or user applications to be disconnected from the\n D-Bus system by sending them a message containing a file descriptor,\n leading to a denial of service.\n\nCVE-2014-3533\n\n Alban Crequy at Collabora Ltd. and Alejandro Martinez Suarez\n discovered that a malicious process could force services to be\n disconnected from the D-Bus system by causing dbus-daemon to attempt\n to forward invalid file descriptors to a victim process, leading to\n a denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.6.8-1+deb7u3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.8.6-1.\n\nWe recommend that you upgrade your dbus packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2014-07-02T18:41:00", "published": "2014-07-02T18:41:00", "id": "DEBIAN:DSA-2971-1:10302", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00152.html", "title": "[SECURITY] [DSA 2971-1] dbus security update", "type": "debian", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-11T13:16:14", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3638", "CVE-2014-3477", "CVE-2014-3639"], "description": "Package : dbus\nVersion : 1.2.24-4+squeeze3\nCVE ID : CVE-2014-3477 CVE-2014-3638 CVE-2014-3639\n\nThis updates fixes multiple (local) denial of services discovered by Alban\nCrequy and Simon McVittie.\n\nCVE-2014-3477\n\n Fix a denial of service (failure to obtain bus name) in\n newly-activated system services that not all users are allowed to\n access.\n\nCVE-2014-3638\n\n Reduce maximum number of pending replies per connection to avoid\n algorithmic complexity denial of service.\n\nCVE-2014-3639\n\n The daemon now limits the number of unauthenticated connection slots\n so that malicious processes cannot prevent new connections to the\n system bus.\n\n-- \nRapha\u00ebl Hertzog \u25c8 Debian Developer\n\nSupport Debian LTS: http://www.freexian.com/services/debian-lts.html\nLearn to master Debian: http://debian-handbook.info/get/\n", "edition": 7, "modified": "2014-11-20T13:28:55", "published": "2014-11-20T13:28:55", "id": "DEBIAN:DLA-87-1:B379F", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201411/msg00006.html", "title": "[SECURITY] [DLA 87-1] dbus security update", "type": "debian", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-08-12T01:05:22", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3636", "CVE-2014-7824"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3099-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nDecember 11, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dbus\nCVE ID : CVE-2014-7824\n\nSimon McVittie discovered that the fix for CVE-2014-3636 was\nincorrect, as it did not fully address the underlying\ndenial-of-service vector. This update starts the D-Bus daemon as root\ninitially, so that it can properly raise its file descriptor count.\n\nIn addition, this update reverts the auth_timeout change in the\nprevious security update to its old value because the new value causes\nboot failures on some systems. See the README.Debian file for details\nhow to harden the D-Bus daemon against malicious local users.\n\nFor the stable distribution (wheezy), these problem have been fixed in\nversion 1.6.8-1+deb7u5.\n\nFor the upcoming stable distribution (jessie) and the unstable\ndistribution (sid), these problem have been fixed in version 1.8.10-1.\n\nWe recommend that you upgrade your dbus packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2014-12-11T21:15:42", "published": "2014-12-11T21:15:42", "id": "DEBIAN:DSA-3099-1:DAD5F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00289.html", "title": "[SECURITY] [DSA 3099-1] dbus security update", "type": "debian", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3636", "CVE-2014-3638", "CVE-2014-3635", "CVE-2014-3637", "CVE-2014-3639"], "description": "Simon McVittie discovered that DBus incorrectly handled the file \ndescriptors message limit. A local attacker could use this issue to cause \nDBus to crash, resulting in a denial of service, or possibly execute \narbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu \n14.04 LTS. (CVE-2014-3635)\n\nAlban Crequy discovered that DBus incorrectly handled a large number of \nfile descriptor messages. A local attacker could use this issue to cause \nDBus to stop responding, resulting in a denial of service. This issue only \napplied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3636)\n\nAlban Crequy discovered that DBus incorrectly handled certain file \ndescriptor messages. A local attacker could use this issue to cause DBus \nto maintain persistent connections, possibly resulting in a denial of \nservice. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. \n(CVE-2014-3637)\n\nAlban Crequy discovered that DBus incorrectly handled a large number of \nparallel connections and parallel message calls. A local attacker could use \nthis issue to cause DBus to consume resources, possibly resulting in a \ndenial of service. (CVE-2014-3638)\n\nAlban Crequy discovered that DBus incorrectly handled incomplete \nconnections. A local attacker could use this issue to cause DBus to fail \nlegitimate connection attempts, resulting in a denial of service. \n(CVE-2014-3639)", "edition": 5, "modified": "2014-09-22T00:00:00", "published": "2014-09-22T00:00:00", "id": "USN-2352-1", "href": "https://ubuntu.com/security/notices/USN-2352-1", "title": "DBus vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:40:12", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3532", "CVE-2014-3533", "CVE-2014-3477"], "description": "Alban Crequy discovered that dbus-daemon incorrectly sent AccessDenied \nerrors to the service instead of the client when enforcing permissions. A \nlocal user can use this issue to possibly deny access to the service. \n(CVE-2014-3477)\n\nAlban Crequy discovered that dbus-daemon incorrectly handled certain file \ndescriptors. A local attacker could use this issue to cause services or \nclients to disconnect, resulting in a denial of service. (CVE-2014-3532, \nCVE-2014-3533)", "edition": 5, "modified": "2014-07-08T00:00:00", "published": "2014-07-08T00:00:00", "id": "USN-2275-1", "href": "https://ubuntu.com/security/notices/USN-2275-1", "title": "DBus vulnerabilities", "type": "ubuntu", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-02T11:38:50", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7824"], "description": "It was discovered that DBus incorrectly handled a large number of file \ndescriptor messages. A local attacker could use this issue to cause DBus to \nstop responding, resulting in a denial of service. (CVE-2014-7824)", "edition": 5, "modified": "2014-11-27T00:00:00", "published": "2014-11-27T00:00:00", "id": "USN-2425-1", "href": "https://ubuntu.com/security/notices/USN-2425-1", "title": "DBus vulnerability", "type": "ubuntu", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2020-10-03T12:01:21", "description": "D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.", "edition": 3, "cvss3": {}, "published": "2014-11-18T15:59:00", "title": "CVE-2014-7824", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7824"], "modified": "2017-09-08T01:29:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.9.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:d-bus_project:d-bus:1.6.6", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/a:d-bus_project:d-bus:1.6.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/o:mageia_project:mageia:3", "cpe:/a:d-bus_project:d-bus:1.6.22", "cpe:/a:d-bus_project:d-bus:1.6.24", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/o:canonical:ubuntu_linux:14.10", "cpe:/a:d-bus_project:d-bus:1.6.4", "cpe:/o:mageia_project:mageia:4", "cpe:/a:d-bus_project:d-bus:1.8.6", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.6.8", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.8.8", "cpe:/a:d-bus_project:d-bus:1.8.0", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2014-7824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7824", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:mageia_project:mageia:4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:o:mageia_project:mageia:3:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.24:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:24", "description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", "edition": 5, "cvss3": {}, "published": "2014-09-22T15:55:00", "title": "CVE-2014-3635", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3635"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.6.6", "cpe:/a:d-bus_project:d-bus:1.6.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/a:d-bus_project:d-bus:1.6.22", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/a:d-bus_project:d-bus:1.6.4", "cpe:/a:d-bus_project:d-bus:1.8.6", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.6.8", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3635", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3635", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:23", "description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.", "edition": 6, "cvss3": {}, "published": "2014-07-19T19:55:00", "title": "CVE-2014-3532", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3532"], "modified": "2020-08-11T14:22:00", "cpe": ["cpe:/o:mageia:mageia:4.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:mageia:mageia:3.0", "cpe:/o:opensuse:opensuse:12.3", "cpe:/o:oracle:solaris:11.3"], "id": "CVE-2014-3532", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3532", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*", "cpe:2.3:o:mageia:mageia:3.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:17", "description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.\n<a href=\"http://cwe.mitre.org/data/definitions/775.html\">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>", "edition": 4, "cvss3": {}, "published": "2014-09-22T15:55:00", "title": "CVE-2014-3637", "type": "cve", "cwe": ["CWE-17"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3637"], "modified": "2019-06-24T21:15:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.4.20", "cpe:/a:d-bus_project:d-bus:1.5.0", "cpe:/a:d-bus_project:d-bus:1.4.4", "cpe:/a:d-bus_project:d-bus:1.4.22", "cpe:/a:d-bus_project:d-bus:1.4.10", "cpe:/a:d-bus_project:d-bus:1.4.16", "cpe:/a:d-bus_project:d-bus:1.6.6", "cpe:/a:d-bus_project:d-bus:1.4.26", "cpe:/a:d-bus_project:d-bus:1.5.10", "cpe:/a:d-bus_project:d-bus:1.6.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/a:d-bus_project:d-bus:1.4.1", "cpe:/a:d-bus_project:d-bus:1.4.8", "cpe:/a:d-bus_project:d-bus:1.6.22", "cpe:/a:d-bus_project:d-bus:1.4.18", "cpe:/a:d-bus_project:d-bus:1.4.14", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/a:d-bus_project:d-bus:1.4.6", "cpe:/a:d-bus_project:d-bus:1.5.6", "cpe:/a:d-bus_project:d-bus:1.4.12", "cpe:/a:d-bus_project:d-bus:1.5.8", "cpe:/a:d-bus_project:d-bus:1.4.24", "cpe:/a:d-bus_project:d-bus:1.5.4", "cpe:/a:d-bus_project:d-bus:1.6.4", "cpe:/a:d-bus_project:d-bus:1.3.1", "cpe:/a:d-bus_project:d-bus:1.5.12", "cpe:/a:d-bus_project:d-bus:1.8.6", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/a:d-bus_project:d-bus:1.4.0", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.5.2", "cpe:/a:d-bus_project:d-bus:1.6.8", "cpe:/a:d-bus_project:d-bus:1.3.0", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3637", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3637", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.26:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.24:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:17", "description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.", "edition": 3, "cvss3": {}, "published": "2014-07-19T19:55:00", "title": "CVE-2014-3533", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3533"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.4.20", "cpe:/a:d-bus_project:d-bus:1.5.0", "cpe:/a:d-bus_project:d-bus:1.4.4", "cpe:/a:d-bus_project:d-bus:1.4.22", "cpe:/a:d-bus_project:d-bus:1.4.10", "cpe:/a:d-bus_project:d-bus:1.4.16", "cpe:/a:d-bus_project:d-bus:1.4.26", "cpe:/a:d-bus_project:d-bus:1.5.10", "cpe:/a:d-bus_project:d-bus:1.6.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/a:d-bus_project:d-bus:1.4.1", "cpe:/o:mageia_project:mageia:3", "cpe:/a:d-bus_project:d-bus:1.4.8", "cpe:/a:d-bus_project:d-bus:1.4.18", "cpe:/a:d-bus_project:d-bus:1.4.14", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/a:d-bus_project:d-bus:1.4.6", "cpe:/a:d-bus_project:d-bus:1.5.6", "cpe:/a:d-bus_project:d-bus:1.4.12", "cpe:/a:d-bus_project:d-bus:1.5.8", "cpe:/a:d-bus_project:d-bus:1.4.24", "cpe:/a:d-bus_project:d-bus:1.5.4", "cpe:/a:d-bus_project:d-bus:1.3.1", "cpe:/a:d-bus_project:d-bus:1.5.12", "cpe:/o:mageia_project:mageia:4", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/a:d-bus_project:d-bus:1.4.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.5.2", "cpe:/a:d-bus_project:d-bus:1.3.0", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3533", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3533", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:mageia_project:mageia:4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.26:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.24:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:o:mageia_project:mageia:3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.22:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:24", "description": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.", "edition": 5, "cvss3": {}, "published": "2014-09-22T15:55:00", "title": "CVE-2014-3638", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3638"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.6.6", "cpe:/a:d-bus_project:d-bus:1.6.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/a:d-bus_project:d-bus:1.6.22", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/a:d-bus_project:d-bus:1.6.4", "cpe:/a:d-bus_project:d-bus:1.8.6", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.6.8", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3638", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:17", "description": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.", "edition": 3, "cvss3": {}, "published": "2014-07-01T17:55:00", "title": "CVE-2014-3477", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3477"], "modified": "2015-04-15T02:00:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.2.12", "cpe:/a:d-bus_project:d-bus:1.2.26", "cpe:/a:d-bus_project:d-bus:1.4.20", "cpe:/a:d-bus_project:d-bus:1.4.4", "cpe:/a:d-bus_project:d-bus:1.2.4.6", "cpe:/a:d-bus_project:d-bus:1.4.22", "cpe:/a:d-bus_project:d-bus:1.2.28", "cpe:/a:d-bus_project:d-bus:1.4.10", "cpe:/a:d-bus_project:d-bus:1.4.16", "cpe:/a:d-bus_project:d-bus:1.6.6", "cpe:/a:d-bus_project:d-bus:1.4.26", "cpe:/a:d-bus_project:d-bus:1.2.24", "cpe:/a:d-bus_project:d-bus:1.2.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/a:d-bus_project:d-bus:1.4.1", "cpe:/a:d-bus_project:d-bus:1.4.8", "cpe:/a:d-bus_project:d-bus:1.4.18", "cpe:/a:d-bus_project:d-bus:1.2.14", "cpe:/a:d-bus_project:d-bus:1.4.14", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/a:d-bus_project:d-bus:1.2.8", "cpe:/a:d-bus_project:d-bus:1.4.6", "cpe:/a:d-bus_project:d-bus:1.4.12", "cpe:/a:d-bus_project:d-bus:1.4.24", "cpe:/a:d-bus_project:d-bus:1.2.6", "cpe:/a:d-bus_project:d-bus:1.6.4", "cpe:/a:d-bus_project:d-bus:1.3.1", "cpe:/a:d-bus_project:d-bus:1.2.4", "cpe:/a:d-bus_project:d-bus:1.2.22", "cpe:/a:d-bus_project:d-bus:1.2.10", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/a:d-bus_project:d-bus:1.4.0", "cpe:/a:d-bus_project:d-bus:1.2.3", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.2.4.2", "cpe:/a:d-bus_project:d-bus:1.2.16", "cpe:/a:d-bus_project:d-bus:1.2.30", "cpe:/a:d-bus_project:d-bus:1.2.1", "cpe:/a:d-bus_project:d-bus:1.6.8", "cpe:/a:d-bus_project:d-bus:1.2.4.4", "cpe:/a:d-bus_project:d-bus:1.3.0", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.2.18", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3477", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3477", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:d-bus_project:d-bus:1.2.30:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.26:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.24:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.28:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.26:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.4.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:24", "description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.", "edition": 5, "cvss3": {}, "published": "2014-10-25T20:55:00", "title": "CVE-2014-3636", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3636"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.6.22", "cpe:/a:d-bus_project:d-bus:1.8.6", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3636", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3636", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:24", "description": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.\n<a href=\"http://cwe.mitre.org/data/definitions/774.html\">CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling</a>", "edition": 5, "cvss3": {}, "published": "2014-09-22T15:55:00", "title": "CVE-2014-3639", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3639"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:d-bus_project:d-bus:1.6.2", "cpe:/a:d-bus_project:d-bus:1.8.4", "cpe:/a:d-bus_project:d-bus:1.6.6", "cpe:/a:d-bus_project:d-bus:1.6.20", "cpe:/a:d-bus_project:d-bus:1.6.0", "cpe:/a:d-bus_project:d-bus:1.6.22", "cpe:/a:d-bus_project:d-bus:1.6.12", "cpe:/a:d-bus_project:d-bus:1.6.4", "cpe:/a:d-bus_project:d-bus:1.8.6", "cpe:/a:d-bus_project:d-bus:1.6.10", "cpe:/a:d-bus_project:d-bus:1.8.2", "cpe:/a:d-bus_project:d-bus:1.6.14", "cpe:/a:d-bus_project:d-bus:1.6.18", "cpe:/a:d-bus_project:d-bus:1.6.8", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:d-bus_project:d-bus:1.6.16", "cpe:/a:d-bus_project:d-bus:1.8.0"], "id": "CVE-2014-3639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3639", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:d-bus_project:d-bus:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.22:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:d-bus_project:d-bus:1.6.6:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-10-12T02:11:04", "bulletinFamily": "software", "cvelist": ["CVE-2014-3638"], "edition": 1, "description": " \n\n\nThe bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls. ([CVE-2014-3638](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3638>))\n\nImpact \n\n\nA locally authenticated user may be able to use the flaw in D-Bus to cause excessive resource consumption. There is no remote access vector for this issue on data or control plane. \n\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you should only permit management access to F5 products over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:24:00", "published": "2015-09-14T17:27:00", "id": "F5:K17256", "href": "https://support.f5.com/csp/article/K17256", "title": "D-Bus vulnerability CVE-2014-3638", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-12T02:11:07", "bulletinFamily": "software", "cvelist": ["CVE-2014-3477"], "edition": 1, "description": " \n\n\nThe dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. ([CVE-2014-3477](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3477>)) \n\n\nImpact \n\n\nThis vulnerability may allow a locally authenticated user to cause a denial-of-service (DoS) or possibly conduct a side-channel attack through a D-Bus message to an inactive service. \n\n\nFor Traffix SDC, the **dbus **daemon is used for package dependency reasons. The impact of the** dbus **daemon becoming unavailable is minimal. In addition, only administrative users are allowed on the Traffix SDC users, limiting the amount of potential attackers. \n\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2016-01-09T02:24:00", "published": "2015-09-12T02:09:00", "href": "https://support.f5.com/csp/article/K17255", "id": "F5:K17255", "type": "f5", "title": "D-Bus vulnerability CVE-2014-3477", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:22:53", "bulletinFamily": "software", "cvelist": ["CVE-2014-3638"], "edition": 1, "description": "**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\n*The D-Bus daemon is only for package dependency reasons. The impact of the D-Bus daemon becoming unavailable is close to null. \n\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you should only permit management access to F5 products over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2015-09-14T00:00:00", "published": "2015-09-14T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/200/sol17256.html", "id": "SOL17256", "title": "SOL17256 - D-Bus vulnerability CVE-2014-3638", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:00", "bulletinFamily": "software", "cvelist": ["CVE-2014-3477"], "edition": 1, "description": "**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n", "modified": "2015-09-11T00:00:00", "published": "2015-09-11T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/200/sol17255.html", "id": "SOL17255", "title": "SOL17255 - D-Bus vulnerability CVE-2014-3477", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-12T02:11:11", "bulletinFamily": "software", "cvelist": ["CVE-2014-3639"], "edition": 1, "description": "Description \n\n\nThe dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections. ([CVE-2014-3639](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3639>)) \n\n\nImpact \n\n\nA local user may be able to run an application to exploit D-Bus and cause a disruption of service.\n\nStatus\n\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable | None \n \nBIG-IP AAM | None \n| 12.0.0 \n11.4.0 - 11.6.0 \n| Not vulnerable | None \nBIG-IP AFM | None \n| 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable | None \nBIG-IP Analytics | None \n| 12.0.0 \n11.0.0 - 11.6.0 \n| Not vulnerable | None \nBIG-IP APM | None \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable | None \nBIG-IP ASM | None \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable | None \nBIG-IP DNS \n| None \n| 12.0.0 \n| Not vulnerable | None \nBIG-IP Edge Gateway \n| None \n| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None \n| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable | None \nBIG-IP Link Controller | None \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable | None \nBIG-IP PEM | None \n| 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable | None \nBIG-IP PSM | None \n| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | None \n| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WOM | None \n| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None \n| 6.0.0 - 6.4.0 \n| Not vulnerable | None \n \nEnterprise Manager | None \n| 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None \n| 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable | None \n \nBIG-IQ Cloud | None \n| 4.0.0 - 4.5.0 \n| Not vulnerable | None \n \nBIG-IQ Device | None \n| 4.2.0 - 4.5.0 \n| Not vulnerable | None \n \nBIG-IQ Security | None \n| 4.0.0 - 4.5.0 \n| Not vulnerable | None \n \nBIG-IQ ADC | None \n| 4.5.0 \n| Not vulnerable | None \n \nLineRate | None \n| 2.5.0 - 2.6.1 \n| Not vulnerable | None \n \nF5 WebSafe | None \n| 1.0.0 \n| Not vulnerable | None \n \nTraffix SDC | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | None \n| Low \n| dbus-daemon in D-Bus \n \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x](<https://support.f5.com/csp/article/K13309>)) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nSupplemental Information\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:25:00", "published": "2015-09-11T20:54:00", "id": "F5:K17257", "href": "https://support.f5.com/csp/article/K17257", "title": "D-Bus vulnerability CVE-2014-3639", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:18", "bulletinFamily": "software", "cvelist": ["CVE-2014-3639"], "edition": 1, "description": "**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL167: Downloading software and firmware from F5\n", "modified": "2015-09-11T00:00:00", "published": "2015-09-11T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/200/sol17257.html", "id": "SOL17257", "title": "SOL17257 - D-Bus vulnerability CVE-2014-3639", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:38", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3636", "CVE-2014-7824"], "description": "The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on\nincorrect reasoning and does not fully prevent the attack described in\nthe impact section below. Preventing that attack requires raising the\nsystem dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a higher value.", "modified": "2014-11-23T00:00:00", "published": "2014-11-23T00:00:00", "id": "ASA-201411-28", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-November/000153.html", "type": "archlinux", "title": "dbus: denial of service", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T12:13:40", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3638", "CVE-2014-3639"], "description": "Various denial of service issues were fixed in the DBUS service.\n\n * CVE-2014-3638: dbus-daemon tracks whether method call messages\n expect a reply, so that unsolicited replies can be dropped. As\n currently implemented, if there are n parallel method calls in\n progress, each method reply takes O(n) CPU time. A malicious user\n could exploit this by opening the maximum allowed number of parallel\n connections and sending the maximum number of parallel method calls\n on each one, causing subsequent method calls to be unreasonably\n slow, a denial of service.\n * CVE-2014-3639: dbus-daemon allows a small number of "incomplete"\n connections (64 by default) whose identity has not yet been\n confirmed. When this limit has been reached, subsequent connections\n are dropped. Alban's testing indicates that one malicious process\n that makes repeated connection attempts, but never completes the\n authentication handshake and instead waits for dbus-daemon to time\n out and disconnect it, can cause the majority of legitimate\n connection attempts to fail.\n\n Security Issues:\n\n * CVE-2014-3638\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638</a>>\n * CVE-2014-3638\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638</a>>\n\n", "edition": 1, "modified": "2014-09-19T23:04:49", "published": "2014-09-19T23:04:49", "id": "SUSE-SU-2014:1146-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00026.html", "type": "suse", "title": "Security update for dbus-1 (important)", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-11T05:54:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6262", "CVE-2017-7407", "CVE-2015-8388", "CVE-2016-8620", "CVE-2016-8623", "CVE-2017-9233", "CVE-2016-5420", "CVE-2016-9840", "CVE-2016-3705", "CVE-2016-1840", "CVE-2014-0191", "CVE-2016-8615", "CVE-2016-8616", "CVE-2015-5276", "CVE-2015-3210", "CVE-2015-2325", "CVE-2016-6261", "CVE-2016-8619", "CVE-2017-10685", "CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2015-8391", "CVE-2016-6263", "CVE-2016-2108", "CVE-2016-9063", "CVE-2016-8618", "CVE-2016-1762", "CVE-2016-6302", "CVE-2016-5300", "CVE-2015-8395", "CVE-2016-7141", "CVE-2016-1834", "CVE-2017-11112", "CVE-2016-2177", "CVE-2014-7169", "CVE-2015-8382", "CVE-2016-3627", "CVE-2015-1283", "CVE-2014-6277", "CVE-2016-2105", "CVE-2016-9318", "CVE-2016-4483", "CVE-2016-2107", "CVE-2015-8386", "CVE-2014-6278", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-3075", "CVE-2016-8617", "CVE-2016-9842", "CVE-2016-7796", "CVE-2017-2616", "CVE-2016-0634", "CVE-2012-6702", "CVE-2015-3238", "CVE-2016-2180", "CVE-2016-1835", "CVE-2016-0787", "CVE-2016-1234", "CVE-2016-0718", "CVE-2016-6185", "CVE-2015-8392", "CVE-2016-4574", "CVE-2015-8389", "CVE-2016-2109", "CVE-2015-8380", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-9048", "CVE-2014-8964", "CVE-2015-2059", "CVE-2017-11113", "CVE-2016-1283", "CVE-2016-6313", "CVE-2016-1837", "CVE-2016-6318", "CVE-2015-3622", "CVE-2016-4448", "CVE-2016-1238", "CVE-2015-8393", "CVE-2016-1838", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-2381", "CVE-2016-7543", "CVE-2017-1000101", "CVE-2016-8622", "CVE-2015-8853", "CVE-2014-7187", "CVE-2015-8394", "CVE-2016-4008", "CVE-2014-9770", "CVE-2015-3217", "CVE-2014-6271", "CVE-2017-7526", "CVE-2016-3191", "CVE-2017-1000366", "CVE-2016-1839", "CVE-2016-8624", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-9047", "CVE-2015-8948", "CVE-2014-7824", "CVE-2015-8842", "CVE-2016-9597", "CVE-2015-5218", "CVE-2016-6303", "CVE-2015-8383", "CVE-2017-1000100", "CVE-2015-8381", "CVE-2016-2182", "CVE-2016-5421", "CVE-2016-9586", "CVE-2015-5073", "CVE-2016-4447", "CVE-2016-5011", "CVE-2015-7511", "CVE-2015-8385", "CVE-2015-8806", "CVE-2016-9841", "CVE-2016-4579", "CVE-2015-0245", "CVE-2016-2037", "CVE-2016-2073", "CVE-2016-5419", "CVE-2015-2328", "CVE-2017-6507", "CVE-2016-4658", "CVE-2016-7167", "CVE-2017-10684", "CVE-2016-2179", "CVE-2016-2106", "CVE-2016-1833", "CVE-2015-8387", "CVE-2016-8621", "CVE-2015-8390", "CVE-2017-9050"], "description": "The SUSE Linux Enterprise Server 12 container image has been updated to\n include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 are now included in the base\n image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n util-linux:\n\n - CVE-2015-5218\n - CVE-2016-5011\n - CVE-2017-2616\n\n cracklib:\n\n - CVE-2016-6318\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - openldap2\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - shadow\n - zypper\n\n", "edition": 1, "modified": "2017-10-11T03:06:53", "published": "2017-10-11T03:06:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html", "id": "SUSE-SU-2017:2699-1", "title": "Security update for SLES 12 Docker image (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-11T05:54:20", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6262", "CVE-2016-7056", "CVE-2017-7407", "CVE-2015-8388", "CVE-2016-8620", "CVE-2016-8623", "CVE-2017-9233", "CVE-2016-5420", "CVE-2016-9840", "CVE-2016-3705", "CVE-2016-1840", "CVE-2014-0191", "CVE-2016-8615", "CVE-2016-8616", "CVE-2015-5276", "CVE-2015-3210", "CVE-2015-2325", "CVE-2016-6261", "CVE-2016-8619", "CVE-2017-10685", "CVE-2016-6306", "CVE-2016-2183", "CVE-2015-0860", "CVE-2016-2178", "CVE-2015-8391", "CVE-2016-6263", "CVE-2016-2108", "CVE-2016-9063", "CVE-2016-8618", "CVE-2016-1762", "CVE-2016-6302", "CVE-2016-5300", "CVE-2015-8395", "CVE-2016-7141", "CVE-2016-1834", "CVE-2017-11112", "CVE-2016-2177", "CVE-2014-7169", "CVE-2015-8382", "CVE-2016-3627", "CVE-2015-1283", "CVE-2014-6277", "CVE-2016-2105", "CVE-2016-9318", "CVE-2016-4483", "CVE-2016-2107", "CVE-2017-3731", "CVE-2015-8386", "CVE-2014-6278", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-3075", "CVE-2016-8617", "CVE-2016-9842", "CVE-2016-7796", "CVE-2017-2616", "CVE-2016-0634", "CVE-2012-6702", "CVE-2015-3238", "CVE-2016-2180", "CVE-2016-1835", "CVE-2016-0787", "CVE-2016-8610", "CVE-2016-1234", "CVE-2016-0718", "CVE-2016-6185", "CVE-2015-8392", "CVE-2016-4574", "CVE-2015-8389", "CVE-2016-2109", "CVE-2015-8380", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-9048", "CVE-2014-8964", "CVE-2015-2059", "CVE-2017-11113", "CVE-2016-1283", "CVE-2016-6313", "CVE-2016-1837", "CVE-2016-6318", "CVE-2015-3622", "CVE-2016-4448", "CVE-2016-1238", "CVE-2015-8393", "CVE-2016-1838", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-2381", "CVE-2016-7543", "CVE-2017-1000101", "CVE-2016-8622", "CVE-2015-8853", "CVE-2014-7187", "CVE-2015-8394", "CVE-2016-4008", "CVE-2014-9770", "CVE-2015-3217", "CVE-2014-6271", "CVE-2017-7526", "CVE-2016-3191", "CVE-2017-1000366", "CVE-2016-1839", "CVE-2016-8624", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-9047", "CVE-2015-8948", "CVE-2014-7824", "CVE-2015-8842", "CVE-2016-9597", "CVE-2016-6303", "CVE-2015-8383", "CVE-2017-1000100", "CVE-2015-8381", "CVE-2016-2182", "CVE-2016-5421", "CVE-2016-9586", "CVE-2015-5073", "CVE-2016-4447", "CVE-2016-5011", "CVE-2015-7511", "CVE-2015-8385", "CVE-2015-8806", "CVE-2016-9841", "CVE-2016-4579", "CVE-2015-0245", "CVE-2016-2037", "CVE-2016-2073", "CVE-2016-5419", "CVE-2015-2328", "CVE-2017-6507", "CVE-2016-4658", "CVE-2016-7167", "CVE-2017-10684", "CVE-2016-2179", "CVE-2016-2106", "CVE-2016-1833", "CVE-2015-8387", "CVE-2016-8621", "CVE-2015-8390", "CVE-2017-9050"], "description": "The SUSE Linux Enterprise Server 12 SP1 container image has been updated\n to include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 SP1 are now included in the\n base image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n expat:\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n - CVE-2016-7056\n - CVE-2016-8610\n - CVE-2017-3731\n\n cracklib:\n\n - CVE-2016-6318\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n util-linux:\n\n - CVE-2016-5011\n - CVE-2017-2616\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n update-alternatives:\n\n - CVE-2015-0860\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - lua51\n - lvm2\n - netcfg\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - sg3_utils\n - shadow\n - zypper\n\n", "edition": 1, "modified": "2017-10-11T03:07:32", "published": "2017-10-11T03:07:32", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html", "id": "SUSE-SU-2017:2700-1", "title": "Security update for SLES 12-SP1 Docker image (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}