Security update for dbus-1 (important)

Various denial of service issues were fixed in the DBUS service.

   * CVE-2014-3638: dbus-daemon tracks whether method call messages
     expect a reply, so that unsolicited replies can be dropped. As
     currently implemented, if there are n parallel method calls in
     progress, each method reply takes O(n) CPU time. A malicious user
     could exploit this by opening the maximum allowed number of parallel
     connections and sending the maximum number of parallel method calls
     on each one, causing subsequent method calls to be unreasonably
     slow, a denial of service.
   * CVE-2014-3639: dbus-daemon allows a small number of "incomplete"
     connections (64 by default) whose identity has not yet been
     confirmed. When this limit has been reached, subsequent connections
     are dropped. Alban's testing indicates that one malicious process
     that makes repeated connection attempts, but never completes the
     authentication handshake and instead waits for dbus-daemon to time
     out and disconnect it, can cause the majority of legitimate

connection attempts to fail.

Security Issues:

   * CVE-2014-3638
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638</a>&gt;
   * CVE-2014-3638
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638</a>&gt;