dbus: 1.12.14 -> 1.12.16

https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS

It's short and explains the CVE a bit, including below:

> CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
> authentication for identities that differ from the user running the
> DBusServer. Previously, a local attacker could manipulate symbolic
> links in their own home directory to bypass authentication and connect
> to a DBusServer with elevated privileges. The standard system and
> session dbus-daemons in their default configuration were immune to this
> attack because they did not allow DBUS_COOKIE_SHA1, but third-party
> users of DBusServer such as Upstart could be vulnerable.   Thanks to Joe
> Vennix of Apple Information Security.   (dbus#269, Simon McVittie)

1 files changed, 2 insertions, 2 deletions

diff --git a/pkgs/development/libraries/dbus/default.nix b/pkgs/development/libraries/dbus/default.nix
index 60d0cc81d2b..abc32b90c6b 100644
--- a/pkgs/development/libraries/dbus/default.nix
+++ b/pkgs/development/libraries/dbus/default.nix
@@ -6,8 +6,8 @@ assert x11Support -> libX11 != null
                   && libSM != null;
 
 let
-  version = "1.12.14";
-  sha256 = "13aca7gzgl7z1dfdipfs23773w8n6z01d4rj5kmssv4gms8c5ya4";
+  version = "1.12.16";
+  sha256 = "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl";
 
 self = stdenv.mkDerivation {
     name = "dbus-${version}";