Name of the Vulnerable Software and Affected Versions dbus-1 versions prior to 1.8.22

Description The issue concerns a security problem where an ActivationFailure message received from a root-owned systemd name is treated as a format string. This has been fixed by updating dbus-1 to version 1.8.22. Additional changes include fixing a memory leak when GetConnectionCredentials() succeeds, ensuring dbus-monitor does not reply to messages intended for others, and adding locking to DBusCounter's reference count and notify function.

Recommendations Update dbus-1 to version 1.8.22 to fix the security issue and bugs. As a temporary workaround, consider restricting the use of the vulnerable GetConnectionCredentials() function until the update is applied. Ensure that the default configuration for the session bus only allows EXTERNAL authentication to minimize the risk of exploitation.