Public bug reported:
Scheduled-For: ubuntu-26.02
Ubuntu: 0.8-17ubuntu2
Debian Unstable: 0.8-18
A new release of avahi is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change the
tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the
title as desired.
### New Debian Changes ###
avahi (0.8-18) unstable; urgency=medium
[ Simon McVittie ]
* d/copyright: Don't quote the FSF's former postal address here
[ Michael Biebl ]
* core: refuse to create wide-area record browsers when wide-area is off.
Patch cherry-picked from upstream Git
CVE-2025-68276 (Closes: #1125417)
* core: fix DoS bug by removing incorrect assertion.
Patch cherry-picked from upstream Git
CVE-2025-68468 (Closes: #1125418)
* core: fix DoS bug by changing assert to return.
Patch cherry-picked from upstream Git
CVE-2025-68471 (Closes: #1125419)
* core: fix uncontrolled recursion bug using a simple loop detection
algorithm.
Patch cherry-picked from upstream Git
CVE-2026-24401 (Closes: #1126342)
* Randomize transaction IDs in wide area queries.
Patch cherry-picked from upstream Git.
CVE-2024-52616 (Closes: #1088111)
* Bump Standards-Version to 4.7.3
-- Michael Biebl <[email protected]> Sun, 01 Feb 2026 16:54:47 +0100
### Old Ubuntu Delta ###
avahi (0.8-17ubuntu2) resolute; urgency=medium
* SECURITY UPDATE: Denial of service when creating a record browser.
- debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
wide area use check in avahi-core/browse.c.
- CVE-2025-68276
* SECURITY UPDATE: Denial of service after CNAME expiration.
- debian/patches/CVE-2025-68468.patch: Remove assert in
avahi-core/browse.c.
- CVE-2025-68468
* SECURITY UPDATE: Denial of service on receiving CNAME resource records.
- debian/patches/CVE-2025-68471.patch: Change assert to return on
wide_area check in avahi-core/browse.c.
- CVE-2025-68471
-- Hlib Korzhynskyy <[email protected]> Mon, 19 Jan 2026
13:55:55 -0330
avahi (0.8-17ubuntu1) resolute; urgency=medium
* Merge with Debian unstable (LP: #2130121). Remaining changes:
- avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
avahi-client-fix-resource-leak.patch: Issues discovered by static
analysis (Upstream pull request #202)
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-2.patch: bail out when escaped
labels can't fit into ret
+ CVE-2023-38470
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-2.patch: core: return errors from
avahi_server_set_host_name properly
+ CVE-2023-38471
* Dropped changes applied upstream:
- d/t/local-resolve-service: Add non-superficial DEP-8 test, which validates
resolving of mDNS .local domains and service discovery. (LP #2103699)
-- Ural Tunaboyu <[email protected]> Tue, 02 Dec 2025
16:15:49 -0800
** Affects: avahi (Ubuntu)
Importance: Undecided
Assignee: Ural Tunaboyu (uralt)
Status: In Progress
** Tags: dcr-merge
** Merge proposal linked:
https://code.launchpad.net/~uralt/ubuntu/+source/avahi/+git/avahi/+merge/500640
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142150
Title:
Merge avahi from Debian Unstable for resolute
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2142150/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
