#13164: avahi-0.8
-------------------------+-----------------------
Reporter: bdubbs | Owner: renodr
Type: enhancement | Status: assigned
Priority: high | Milestone: 9.2
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Changes (by renodr):
* priority: normal => high
Comment:
{{{
The Avahi 0.8 release brings a number of new features and bug fix changes
including a backward-compatible addition to the D-Bus API and the avahi-
core
API.
The existing API is still fully supported however clients using the new
API will not work with older Avahi releases. The avahi-client library is
not
affected. See the "API Changes" section for further details.
New Features:
New options for filtering reflected queries between networks (reflect-
filter)
New mainloop integration for Qt5 and libevent
docs/THREADS: Information for multi-threaded avahi-client apps
Listen on loopback interfaces by default, allowing local-only services
to be
consumed by the local machine
New D-Bus V2 API and additions to the avahi-core API for splitting
"New"
calls into "Prepare" and "Start". See "API Changes" for more details.
Notable Changes:
avahi-autoipd: Initial IP selection based on MAC previously ignored
first
octet - this will cause all hosts to select a different link-local IP
than
previous versions based on the same MAC address
avahi-daemon: Delay sending results on an object for 10ms in an
attempt to
give clients enough time to subscribe to signals from the new object
after
receiving it's path in response so the New call. See "API Changes" for
more
info
Bug Fixes:
avahi-python: Various Python 3 enhancements including encoding unicode
strings as UTF-8
avahi-common: avahi_string_list_to_string will now escape embedded
quotes,
backslashes and control characters.
avahi-daemon: Fix a crash when txt records have an empty value in .xml
service files
avahi-daemon: reflector: do not incorrectly cache responses on
outgoing
interfaces. Previously we would incorrectly cache responses reflected
from
one interface on the outgoing interface. These responses were later
sent to
clients on that network even if the original client had disappeared
and could
cause those clients to have a hostname conflict with themselves on
restart.
We no longer incorrectly cache such traffic.
Security Fixes:
Drop legacy unicast queries from address not on local link which can
lead to
UDP traffic amplification attacks (CVE-2017-6519)
API Changes: The avahi-core API and D-Bus API have implemented a new API
where
a call to the "New" method can now be split into a "Prepare" and then
"Start"
method for some objects. The previous "New" API is still fully supported
and
there is no intention to deprecate it.
This change affects the the following objects: AsyncAddressResolver,
AsyncHostNameResolver, AsyncServiceResolver, DomainBrowser, RecordBrowser,
ServiceBrowser, ServiceTypeBrowser
This is because the D-Bus implementation in some languages would only bind
to
signals of an object after it was created and had received the new
object's
path. This led to such languages missing the initial results sent between
the
time the object was created and it had setup a filter to receive it's
signals.
This primarily occured in languages that create dynamic bindings for D-Bus
objects using introspection such as Python. The avahi-client C api was not
affected as it globally binds to all avahi signals without specifying
individual object paths and still makes use of the V1 API.
The v2 Prepare/Start API is available under the new
org.freedesktop.Avahi.Server2 D-Bus interface and also has corresponding
avahi_s_* calls for users of the embedded avahi-core library.
The old org.freedesktop.Avahi.Server interface is still supported and
there is
no intention to remove this API. Additionally this problem has also been
solved
for old clients by adding a very small 10ms delay before we start sending
results to give the client time to bind to the signals which should
silently
fix the issue in most cases without introducing a noticable or impactful
delay.
Clients implementing the new org.freedesktop.Avahi.Server2 D-Bus interface
will
not work with older Avahi daemons. It is suggested that clients may wish
to
either check for and fallback to the older API version, or continue to use
the
OLD API and rely on the 10ms timer to resolve the issue.
Big thank-you to everyone contributing to the project through issues &
pull
requests, including the the following people who contributed changes to
this
release: Daniel S, David Kerr, Eric Bischoff, James Rudd, Jan Alexander
Steffens (heftig), Karl Cronburg, Krzesimir Nowak, Mario Blättermann,
Martin
Blanchard, Michal Sekletar, msk-nightingale, Philip Prindeville, Piotr
Drąg,
Rafael Fontenelle, scootergrisen, Simon Lauser, Simon McVittie, Thomas
Jollans,
Till Kamppeter, Tony Garnock-Jones, Trent Lloyd, wisd0me, Yclept Nemo,
Zlopez,
Дамјан Георгиевски.
This release is backwards compatible with Avahi 0.6.x and 0.7.
}}}
Marking high because of CVE-2017-6519.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/13164#comment:4>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
