Bug#1090787: bookworm-pu: package avahi/0.8-10+deb12u1
Hi Adrian,
On Thu, Dec 19, 2024 at 09:24:22AM +0200, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm moreinfo
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: security@debian.org, Michael Biebl <biebl@debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
>
> * core: make sure there is rdata to process before parsing it.
> Patch cherry-picked from upstream Git.
> (CVE-2023-38472, Closes: #1054879)
> * core: reject overly long TXT resource records.
> Patches cherry-picked from upstream Git.
> (CVE-2023-38469, Closes: #1054876)
> * Ensure each label is at least one byte long.
> Patch cherry-picked from upstream Git.
> (CVE-2023-38470, Closes: #1054877)
> * core: extract host name using avahi_unescape_label()
> Patch cherry-picked from upstream Git.
> (CVE-2023-38471, Closes: #1054878)
> * common: derive alternative host name from its unescaped version.
> Patch cherry-picked from upstream Git.
> (CVE-2023-38473, Closes: #1054880)
> * Fix browsing when invalid services present.
> See https://github.com/lathiat/avahi/issues/212
>
>
> Tagged moreinfo for two reasons:
>
> 1. This is work done by Michael Biebl, it would be fine for me
> to close this request for a maintainer upload.
Thanks for preparing the update, bookworm-pu is indeed perfectly fine
for this (we do not need a DSA, and is marked as such already).
> 2. A question to the security team is whether the last item should
> get a CVE, there is some discussion in the upstream issue about
> that but apparently none has been assigned.
Thanks for the pointer, will have a closer look. But it's not strictly
needed. It's crashing avahi-browse only, which would be in any case
minor (likely even more towards unimportant for us), but lets see from
Red Hat if they still aim to assign a CVE.
Regards,
Salvatore
Reply to: