Name of the Vulnerable Software and Affected Versions dbus-1 versions prior to 1.8.22

Description The issue concerns a security problem where an ActivationFailure message received from a root-owned systemd name is treated as a format string. This has been fixed by updating dbus-1 to version 1.8.22. Additional changes include fixing a memory leak when GetConnectionCredentials() succeeds, ensuring dbus-monitor does not reply to messages intended for others, and adding locking to DBusCounter's reference count and notify function.

Recommendations To resolve the issue, update dbus-1 to version 1.8.22 or later. As a temporary workaround, consider restricting the use of the vulnerable GetConnectionCredentials() function until a patch is available. Additionally, ensure that the default configuration for the session bus only allows EXTERNAL authentication to minimize the risk of exploitation.