ALAS-2024-2428

Amazon Linux 2 Security Advisory: ALAS-2024-2428
Advisory Release Date: 2024-01-19 01:51 Pacific
Advisory Updated Date: 2024-01-22 20:21 Pacific
Severity: Medium
Issue Overview:

D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. (CVE-2023-34969)


Affected Packages:

dbus


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update dbus to update your system.

New Packages:
aarch64:
    dbus-1.10.24-7.amzn2.0.4.aarch64
    dbus-libs-1.10.24-7.amzn2.0.4.aarch64
    dbus-devel-1.10.24-7.amzn2.0.4.aarch64
    dbus-tests-1.10.24-7.amzn2.0.4.aarch64
    dbus-x11-1.10.24-7.amzn2.0.4.aarch64
    dbus-debuginfo-1.10.24-7.amzn2.0.4.aarch64

i686:
    dbus-1.10.24-7.amzn2.0.4.i686
    dbus-libs-1.10.24-7.amzn2.0.4.i686
    dbus-devel-1.10.24-7.amzn2.0.4.i686
    dbus-tests-1.10.24-7.amzn2.0.4.i686
    dbus-x11-1.10.24-7.amzn2.0.4.i686
    dbus-debuginfo-1.10.24-7.amzn2.0.4.i686

noarch:
    dbus-doc-1.10.24-7.amzn2.0.4.noarch

src:
    dbus-1.10.24-7.amzn2.0.4.src

x86_64:
    dbus-1.10.24-7.amzn2.0.4.x86_64
    dbus-libs-1.10.24-7.amzn2.0.4.x86_64
    dbus-devel-1.10.24-7.amzn2.0.4.x86_64
    dbus-tests-1.10.24-7.amzn2.0.4.x86_64
    dbus-x11-1.10.24-7.amzn2.0.4.x86_64
    dbus-debuginfo-1.10.24-7.amzn2.0.4.x86_64

Additional References

Red Hat: CVE-2023-34969

Mitre: CVE-2023-34969