New Debian avahi 0.8-10+deb12u1 fixes: This update addresses the following issues: * avahi: Reachable assertion in avahi_dns_packet_append_record (CVE-2023-38469) * avahi: Reachable assertion in avahi_escape_label (CVE-2023-38470) * avahi: Reachable assertion in dbus_set_host_name (CVE-2023-38471) * avahi: Reachable assertion in avahi_rdata_parse (CVE-2023-38472) * avahi: Reachable assertion in avahi_alternative_host_name (CVE-2023-38473)
--- mirror/ftp/pool/main/a/avahi/avahi_0.8-10.dsc +++ apt/ucs_5.2-0-errata5.2-0/source/avahi_0.8-10+deb12u1.dsc @@ -1,3 +1,26 @@ +0.8-10+deb12u1 [Thu, 19 Dec 2024 09:01:14 +0200] Adrian Bunk <bunk@debian.org>: + + * Non-maintainer upload. + + [ Michael Biebl ] + * core: make sure there is rdata to process before parsing it. + Patch cherry-picked from upstream Git. + (CVE-2023-38472, Closes: #1054879) + * core: reject overly long TXT resource records. + Patches cherry-picked from upstream Git. + (CVE-2023-38469, Closes: #1054876) + * Ensure each label is at least one byte long. + Patch cherry-picked from upstream Git. + (CVE-2023-38470, Closes: #1054877) + * core: extract host name using avahi_unescape_label() + Patch cherry-picked from upstream Git. + (CVE-2023-38471, Closes: #1054878) + * common: derive alternative host name from its unescaped version. + Patch cherry-picked from upstream Git. + (CVE-2023-38473, Closes: #1054880) + * Fix browsing when invalid services present. + See https://github.com/lathiat/avahi/issues/212 + 0.8-10 [Wed, 19 Apr 2023 13:51:49 +0200] Michael Biebl <biebl@debian.org>: [ Felix Geyer ] <http://piuparts.knut.univention.de/5.2-0/#287141877183118928>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.2-0] 6d08a2bfff Bug #57914: avahi 0.8-10+deb12u1 doc/errata/staging/avahi.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.2x2>