Univention Bugzilla – Bug 35124
dbus: Denial of service (ES 3.2)
Last modified: 2019-04-11 19:24:43 CEST
dbus failed to restrict some message parsing between Dbus clients (CVE-2014-3477)
Two additional denial of service vulneraboilities in file descriptor passing (CVE-2014-3532, CVE-2014-3533)
(In reply to Moritz Muehlenhoff from comment #1) > Two additional denial of service vulneraboilities in file descriptor passing > (CVE-2014-3532, CVE-2014-3533) CVE-2014-3533 doesn't affect the version from UCS 3.2.x
Several further local Dbus DoS: CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 CVE-2014-3638 CVE-2014-3639
(In reply to Moritz Muehlenhoff from comment #3) > Several further local Dbus DoS: CVE-2014-3635 CVE-2014-3636 CVE-2014-3637 > CVE-2014-3638 CVE-2014-3639 CVE-2014-3637, CVE-2014-3636 and CVE-2014-3635 don't affect UCS 3.2; the affected feature was introduced later.
CVE-2014-7824 also doesn't affect UCS 3.2; the affected code was introduced later.
Upstream Debian (Wheezy) package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u13 fixes this issue: * named in ISC BIND 9.x before 9.9.9-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864)
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.