Package: avahi-daemon Version: 0.6.31-4 Severity: important Tags: ipv6 Dear Maintainer,
I noticed that when I use NetworkManager to connect to a wired Ethernet network using a custom (or "cloned") MAC address, avahi-daemon has access to both MAC addresses and uses them inconsistently in MDNS queries, leaking them both. To reproduce, create a wired connection in NetworkManager with a cloned MAC, then run a network sniffer such as Wireshark, connect to the network, and observe MDNS communication. You will see a MDNS query to ff02::fb containing a question in the format "hostname [MAC address]._workstation._tcp.local", where "hostname" is replaced by your machine's hostname and "MAC address" is the original (not cloned) MAC address of your Ethernet adapter. Ideally, I would expect avahi-daemon to use the "cloned" MAC address, not the original one, in the query. The current behaviour causes an information leak where an eavesdropper can make a connection between your original MAC address and your "cloned" MAC address. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=cs_CZ.utf8, LC_CTYPE=cs_CZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages avahi-daemon depends on: ii adduser 3.113+nmu3 ii bind9-host [host] 1:9.9.5.dfsg-5 ii dbus 1.8.8-2 ii host 1:9.9.5.dfsg-5 ii init-system-helpers 1.21 ii libavahi-common3 0.6.31-4 ii libavahi-core7 0.6.31-4 ii libc6 2.19-12 ii libcap2 1:2.24-6 ii libdaemon0 0.14-6 ii libdbus-1-3 1.8.8-2 ii libexpat1 2.1.0-6 ii lsb-base 4.1+Debian13+nmu1 Versions of packages avahi-daemon recommends: ii libnss-mdns 0.10-6 Versions of packages avahi-daemon suggests: ii avahi-autoipd 0.6.31-4 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
