Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

avahi: CVE-2023-1981

Related Vulnerabilities: CVE-2023-1981  

Source

Debian Bug report logs - #1034594
avahi: CVE-2023-1981

version graph

Package: src:avahi; Maintainer for src:avahi is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 19 Apr 2023 04:36:01 UTC

Severity: important

Tags: security, upstream

Found in versions avahi/0.8-5+deb11u2, avahi/0.8-9, avahi/0.8-5

Fixed in version avahi/0.8-10

Done: Michael Biebl <biebl@debian.org>

Forwarded to https://github.com/lathiat/avahi/issues/375

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#1034594; Package src:avahi. (Wed, 19 Apr 2023 04:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Wed, 19 Apr 2023 04:36:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: avahi: CVE-2023-1981
Date: Wed, 19 Apr 2023 06:33:17 +0200
Source: avahi
Version: 0.8-9
Severity: important
Tags: security upstream
Forwarded: https://github.com/lathiat/avahi/issues/375
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for avahi.

CVE-2023-1981[0]:
| avahi-daemon can be crashed via DBus

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1981
    https://www.cve.org/CVERecord?id=CVE-2023-1981
[1] https://github.com/lathiat/avahi/issues/375
[2] https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions avahi/0.8-5+deb11u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 19 Apr 2023 04:45:02 GMT) (full text, mbox, link).

Marked as found in versions avahi/0.8-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 19 Apr 2023 04:45:03 GMT) (full text, mbox, link).

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Wed, 19 Apr 2023 12:21:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 19 Apr 2023 12:21:05 GMT) (full text, mbox, link).

Message #14 received at 1034594-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1034594-close@bugs.debian.org
Subject: Bug#1034594: fixed in avahi 0.8-10
Date: Wed, 19 Apr 2023 12:19:02 +0000
Source: avahi
Source-Version: 0.8-10
Done: Michael Biebl <biebl@debian.org>

We believe that the bug you reported is fixed in the latest version of
avahi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034594@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated avahi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 19 Apr 2023 13:51:49 +0200
Source: avahi
Architecture: source
Version: 0.8-10
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 1034594
Changes:
 avahi (0.8-10) unstable; urgency=medium
 .
   [ Felix Geyer ]
   * Remove dependency on bind9-host.
     Originally added in #433030, no longer needed as the
     avahi-daemon-check-dns.sh script is no longer shipped.
 .
   [ Michael Biebl ]
   * Emit error if requested service is not found.
     Fixes a potential local DoS where the avahi daemon could be crashed by
     an unprivileged user via a D-Bus call.
     (CVE-2023-1981, Closes: #1034594)
   * Update watch file to get tarballs directly from avahi.org again.
     The recent changes in GitHub broke the current watch file.
     As new releases are again uploaded to avahi.org, get the release
     tarballs from there.
Checksums-Sha1:
 e4800d22d38476c30ec01901a7b1e3cd9ff0fe3e 3901 avahi_0.8-10.dsc
 663cfd33d6197dbcbf04a872eb385a4afb75bcf5 38136 avahi_0.8-10.debian.tar.xz
 88f5b91f67a1cfcff03c28d985eae4710f693427 8022 avahi_0.8-10_source.buildinfo
Checksums-Sha256:
 41fb69131632dc37c480260fff8de556c226ded22c26cb5e4a04b0762b55fead 3901 avahi_0.8-10.dsc
 fdb83a68eae0d59d37ded3bc05350ff92d9dc0b6d312493b159af3025dd5520b 38136 avahi_0.8-10.debian.tar.xz
 bcadd049d17bc8323e50b573e6ac01057b3a301d9f6f56b23e8b6dc632417365 8022 avahi_0.8-10_source.buildinfo
Files:
 78862c2aee3aa169edb9fb4729b2e272 3901 net optional avahi_0.8-10.dsc
 1997913ff797efdb82b0397a0e82cad1 38136 net optional avahi_0.8-10.debian.tar.xz
 f7950712be6f23b0b0d8af5e6588dcbe 8022 net optional avahi_0.8-10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmQ/1skACgkQauHfDWCP
Itz1nQ//aKambpSMFmsZFAwNniQ/z33Hn2fF967Do8NW7vdhX1QW9OxkUuxQS2Cp
730Mz5+54Z0OmWGmGYlWNgjovJJAmNHsTVysGrpcKj3g3VJnjXQhnGrg2aIs5kPu
ij/CWAUIxMcgeBf44Ojviztyp7YUocyrAj7qKi9qW0Ut3ms+SfL+BbJttJrk1MDy
b6PkHWABAf3UXqAlH7OdRLzMt0eT6dNQm4kWgAY66O4wBWCN4TcY+sjf1NKF6qzk
S/3I5uGRJPzsT7TbdXaQgVipohrE2xfxniJH0Eg8AHruIxAkeerOgWBU3hw3bprh
SAWFWinjWYjZaswIwlr+FTWcNwRu2GDgWVPHN+4wP/Xq732PCBqZv2BglKz3Y//e
Ouzzc+iRxijuOcVXV+C18O6gjEe0ACSg7NvC9y3wMYDHh7r8OEfqLM4kAKlSzGY2
kxbx9Gd63kztSM6qwVyU655XedUVx9n2ouy5UmoPlyTVbADGuZyVtYvSH4SkMART
Z7NuUx7UW3miEqDqhQ81p7GmffzRXAuvELekBo3fSNrWrqiFXOpTnkqrvMjmQL+g
fig9+pVz1/Er5npAPDWo2X+n9k52GesYrZuzDkJimFxBrAt33qDDTyAkZpWX27U3
oTY8XcIEwKhAYzRbtxfbvAX+ki7x/buVRtApp8ufL30Df3OC5AE=
=dJ8Q
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 19 13:10:54 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started