[Bug 2142150] Re: Merge avahi from Debian Unstable for resolute

Sat, 14 Mar 2026 02:30:48 -0700 

This bug was fixed in the package avahi - 0.8-18ubuntu1

---------------
avahi (0.8-18ubuntu1) resolute; urgency=medium

  * Merge with Debian unstable (LP: #2142150). Remaining changes:
    - avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
      avahi-client-fix-resource-leak.patch: Issues discovered by static
      analysis (Upstream pull request #202)
    - SECURITY UPDATE: Reachable assertions exist in domain functions in
      avahi-common
      + debian/patches/CVE-2023-38470-2.patch: bail out when escaped
        labels can't fit into ret
      + CVE-2023-38470
    - SECURITY UPDATE: Reachable assertions exist in server functions in
      avahi-core
      + debian/patches/CVE-2023-38471-2.patch: core: return errors from
        avahi_server_set_host_name properly
      + CVE-2023-38471
  * Dropped changes applied upstream:
    - SECURITY UPDATE: Denial of service when creating a record browser.
      + debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
        wide area use check in avahi-core/browse.c.
      + CVE-2025-68276
    - SECURITY UPDATE: Denial of service after CNAME expiration.
      + debian/patches/CVE-2025-68468.patch: Remove assert in
        avahi-core/browse.c.
      + CVE-2025-68468
    - SECURITY UPDATE: Denial of service on receiving CNAME resource records.
      + debian/patches/CVE-2025-68471.patch: Change assert to return on
        wide_area check in avahi-core/browse.c.
      + CVE-2025-68471

 -- Ural Tunaboyu <[email protected]>  Tue, 17 Feb 2026
21:26:06 -0800

** Changed in: avahi (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.org/CVERecord?id=CVE-2023-38470

** CVE added: https://cve.org/CVERecord?id=CVE-2023-38471

** CVE added: https://cve.org/CVERecord?id=CVE-2025-68276

** CVE added: https://cve.org/CVERecord?id=CVE-2025-68468

** CVE added: https://cve.org/CVERecord?id=CVE-2025-68471

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142150

Title:
   Merge avahi from Debian Unstable for resolute

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2142150/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to