https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12.16/NEWS
It's short and explains the CVE a bit, including below:
> CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
> authentication for identities that differ from the user running the
> DBusServer. Previously, a local attacker could manipulate symbolic
> links in their own home directory to bypass authentication and connect
> to a DBusServer with elevated privileges. The standard system and
> session dbus-daemons in their default configuration were immune to this
> attack because they did not allow DBUS_COOKIE_SHA1, but third-party
> users of DBusServer such as Upstart could be vulnerable. Thanks to Joe
> Vennix of Apple Information Security. (dbus#269, Simon McVittie)
6d7cdd7f8b