Bug#1090787: bookworm-pu: package avahi/0.8-10+deb12u1
- To: Salvatore Bonaccorso <carnil@debian.org>
- Cc: 1090787@bugs.debian.org
- Subject: Bug#1090787: bookworm-pu: package avahi/0.8-10+deb12u1
- From: Adrian Bunk <bunk@debian.org>
- Date: Sat, 4 Jan 2025 17:12:40 +0200
- Message-id: <Z3lP6NQsSW/ipXz9@localhost>
- Reply-to: Adrian Bunk <bunk@debian.org>, 1090787@bugs.debian.org
- In-reply-to: <Z2UPxq7Qn_DVh2Jw@eldamar.lan>
- References: <173459306201.20907.2523279193329307497.reportbug@localhost> <Z2UPxq7Qn_DVh2Jw@eldamar.lan> <173459306201.20907.2523279193329307497.reportbug@localhost>
Control: tags -1 - moreinfo
On Fri, Dec 20, 2024 at 07:33:42AM +0100, Salvatore Bonaccorso wrote:
> Hi Adrian,
Hi Salvatore,
> On Thu, Dec 19, 2024 at 09:24:22AM +0200, Adrian Bunk wrote:
>...
> > * Fix browsing when invalid services present.
> > See https://github.com/lathiat/avahi/issues/212
>...
> > 2. A question to the security team is whether the last item should
> > get a CVE, there is some discussion in the upstream issue about
> > that but apparently none has been assigned.
>
> Thanks for the pointer, will have a closer look. But it's not strictly
> needed. It's crashing avahi-browse only, which would be in any case
> minor (likely even more towards unimportant for us), but lets see from
> Red Hat if they still aim to assign a CVE.
Since there was not yet a resolution to your question upstream,
I've uploaded it now to get both this fix and the other CVE fixes
into the upcoming point release.
If a CVE gets assigned later it won't be listed in the changelog,
but that's not a real problem.
> Regards,
> Salvatore
cu
Adrian
Reply to: