Source: avahi Version: 0.8-17 Severity: important Tags: security upstream Forwarded: https://github.com/avahi/avahi/pull/808 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 0.8-16 Control: found -1 0.8-5
Hi, The following vulnerability was published for avahi. CVE-2025-59529[0]: | Avahi is a system which facilitates service discovery on a local | network via the mDNS/DNS-SD protocol suite. In versions up to and | including 0.9-rc2, the simple protocol server ignores the documented | client limit and accepts unlimited connections, allowing for easy | local DoS. Although `CLIENTS_MAX` is defined, `server_work()` | unconditionally `accept()`s and `client_new()` always appends the | new client and increments `n_clients`. There is no check against the | limit. When client cannot be accepted as a result of maximal socket | number of avahi-daemon, it logs unconditionally error per each | connection. Unprivileged local users can exhaust daemon memory and | file descriptors, causing a denial of service system-wide for | mDNS/DNS-SD. Exhausting local file descriptors causes increased | system load caused by logging errors of each of request. Overloading | prevents glibc calls using nss-mdns plugins to resolve `*.local.` | names and link-local addresses. As of time of publication, no known | patched versions are available, but a candidate fix is available in | pull request 808, and some workarounds are available. Simple clients | are offered for nss-mdns package functionality. It is not possible | to disable the unix socket `/run/avahi-daemon/socket`, but | resolution requests received via DBus are not affected directly. | Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host- | name are not affected, they use DBus interface. It is possible to | change permissions of unix socket after avahi-daemon is started. But | avahi-daemon does not provide any configuration for it. Additional | access restrictions like SELinux can also prevent unwanted tools to | access the socket and keep resolution working for trusted users. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59529 https://www.cve.org/CVERecord?id=CVE-2025-59529 [1] https://github.com/avahi/avahi/pull/808 [2] https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q Regards, Salvatore
