This bug was fixed in the package avahi - 0.8-14ubuntu1
---------------
avahi (0.8-14ubuntu1) plucky; urgency=medium
* Merge with Debian unstable (LP: #2090963). Remaining changes:
- Disable lto, see https://bugzilla.redhat.com/show_bug.cgi?id=1907727
- avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
avahi-client-fix-resource-leak.patch: Issues discovered by static
analysis (Upstream pull request #202)
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-2.patch: bail out when escaped
labels can't fit into ret
+ CVE-2023-38470
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-2.patch: core: return errors from
avahi_server_set_host_name properly
+ CVE-2023-38471
* Dropped changes, included in Debian:
- SECURITY UPDATE: Reachable assertions exist in server functions of
avahi-core
+ debian/patches/CVE-2023-38469-1.patch: reject overly long TXT
resource records
+ debian/patches/CVE-2023-38469-2.patch: tests: pass overly long TXT
resource records
+ CVE-2023-38469
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-1.patch: Ensure each label is at least
one byte long
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-1.patch: core: extract host name using
avahi_unescape_label()
- SECURITY UPDATE: Reachable assertions exist in dbus functions in
avahi-daemon
+ debian/patches/CVE-2023-38472.patch: core: make sure there is rdata
to process before parsing it
+ CVE-2023-38472
- SECURITY UPDATE: Reachable assertions exist in alternative functions
in avahi-common
+ debian/patches/CVE-2023-38473.patch: common: derive alternative host
name from its unescaped version
+ CVE-2023-38473
* Dropped changes, no longer needed:
- avahi-autoipd: Demote isc-dhcp-client from Recommends to Suggests.
Debian dropped isc-dhcp-client from Recommends altogether.
avahi (0.8-14) unstable; urgency=medium
[ Simon McVittie ]
* d/upstream/metadata: Add
* d/watch: Use Github releases API
(Closes: #1059615)
* d/watch.devel: Add a secondary watch file that downloads release
candidates.
This is not used by default by infrastructure (we don't necessarily want
to package every prerelease), but can be used via
`uscan --watchfile debian/watch.devel`.
Thanks to Marc Leeman
* d/gbp.conf: Update packaging branch to debian/latest as per DEP-14
* d/salsa-ci.yml: Add.
Disable the cross-build test for now, this will need some more thought
(perhaps building with nogir and/or nopython).
[ Michael Biebl ]
* Remove obsolete maintscript code from pre oldstable
* Cleanup runtime / state directories more thoroughly on package purge.
Those directories do not contain any valuable data that should be
preserved beyond a package purge. So simplify the cleanup and do it more
thoroughly by just removing all runtime and state files.
While at it, correct an old changelog entry which referenced a wrong
path. (Closes: #849454, #1051442)
* Bump Standards-Version to 4.7.0
* Drop isc-dhcp-client Recommends from avahi-autoipd.
ISC DHCP client is no longer actively maintained, so stop recommending
it. Still ship the integration hooks though for the time being.
(Closes: #1064500)
* avahi-discover: Fix invalid escape sequences.
Patch cherry-picked from upstream Git. (Closes: #1085347)
* core: make sure there is rdata to process before parsing it.
Patch cherry-picked from upstream Git.
(CVE-2023-38472, Closes: #1054879)
* core: reject overly long TXT resource records.
Patches cherry-picked from upstream Git.
(CVE-2023-38469, Closes: #1054876)
* Ensure each label is at least one byte long.
Patch cherry-picked from upstream Git.
(CVE-2023-38470, Closes: #1054877)
* core: extract host name using avahi_unescape_label()
Patch cherry-picked from upstream Git.
(CVE-2023-38471, Closes: #1054878)
* common: derive alternative host name from its unescaped version.
Patch cherry-picked from upstream Git.
(CVE-2023-38473, Closes: #1054880)
-- Mateus Rodrigues de Morais <[email protected]> Tue, 03
Dec 2024 17:57:06 -0300
** Changed in: avahi (Ubuntu)
Status: Fix Committed => Fix Released
** Bug watch added: Red Hat Bugzilla #1907727
https://bugzilla.redhat.com/show_bug.cgi?id=1907727
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38469
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38470
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38471
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38472
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38473
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2090963
Title:
Please merge 0.8-14 into plucky
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2090963/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
