Hello, Thanks for the heads-up, just sent the patches to master and whinlatter.
Kind Regards, Amaury ________________________________ From: Yoann Congal <[email protected]> Sent: Wednesday, February 4, 2026 11:53 AM To: Amaury Couderc <[email protected]>; [email protected] <[email protected]> Subject: Re: [OE-core] [scarthgap][PATCH] avahi: fixes CVE-2025-68468 On Fri Jan 23, 2026 at 11:36 AM CET, Amaury Couderc via lists.openembedded.org wrote: > From: Amaury Couderc <[email protected]> > > avahi: fix DoS bug by removing incorrect assertion > > Signed-off-by: Amaury Couderc <[email protected]> > --- > meta/recipes-connectivity/avahi/avahi_0.8.bb | 2 +- > .../avahi/files/CVE-2025-68468.patch | 32 +++++++++++++++++++ > 2 files changed, 33 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch Hello, If I'm not mistaken, this patch does not have a master equivalent. Please fix CVE-2025-68468 on master and whinlatter (by upgrade or patch) and, then, request a backport scarthgap. Regards, > > diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb > b/meta/recipes-connectivity/avahi/avahi_0.8.bb > index ffda85c0e7..8f8f4a0d88 100644 > --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb > +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb > @@ -37,6 +37,7 @@ SRC_URI = > "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ > file://CVE-2023-38473.patch \ > file://CVE-2024-52616.patch \ > file://CVE-2024-52615.patch \ > + file://CVE-2025-68468.patch \ > " > > GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"; > diff --git a/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch > b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch > new file mode 100644 > index 0000000000..3635cc8d53 > --- /dev/null > +++ b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch > @@ -0,0 +1,32 @@ > +From 483f83828cfda965fac914ff1b39c63c256372b2 Mon Sep 17 00:00:00 2001 > +From: Hugo Muis <[email protected]> > +Date: Sun, 2 Mar 2025 18:06:24 +0100 > +Subject: [PATCH] core: fix DoS bug by removing incorrect assertion > + > +Closes https://github.com/avahi/avahi/issues/683 > + > +CVE: CVE-2025-68468 > + > +Upstream-Status: Backport > +[https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a] > + > +Signed-off-by: Amaury Couderc <[email protected]> > +--- > + avahi-core/browse.c | 1 - > + 1 file changed, 1 deletion(-) > + > +diff --git a/avahi-core/browse.c b/avahi-core/browse.c > +index 86e4432..79595fe 100644 > +--- a/avahi-core/browse.c > ++++ b/avahi-core/browse.c > +@@ -295,7 +295,6 @@ static void lookup_multicast_callback( > + lookup_drop_cname(l, interface, protocol, 0, r); > + else { > + /* It's a normal record, so let's call the user callback */ > +- assert(avahi_key_equal(b->key, l->key)); > + > + b->callback(b, interface, protocol, event, r, flags, > b->userdata); > + } > +-- > +2.43.0 > + -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230805): https://lists.openembedded.org/g/openembedded-core/message/230805 Mute This Topic: https://lists.openembedded.org/mt/117415659/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
