avahi-0.8-7.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10643 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z avahi-0.8-7.2 on GA media These are all security issues fixed in the avahi-0.8-7.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10643 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10643 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-5461/ SUSE CVE CVE-2006-5461 page https://www.suse.com/security/cve/CVE-2007-3372/ SUSE CVE CVE-2007-3372 page https://www.suse.com/security/cve/CVE-2008-5081/ SUSE CVE CVE-2008-5081 page https://www.suse.com/security/cve/CVE-2017-6519/ SUSE CVE CVE-2017-6519 page https://www.suse.com/security/cve/CVE-2018-1000845/ SUSE CVE CVE-2018-1000845 page https://www.suse.com/security/cve/CVE-2021-26720/ SUSE CVE CVE-2021-26720 page https://www.suse.com/security/cve/CVE-2021-3468/ SUSE CVE CVE-2021-3468 page https://www.suse.com/security/cve/CVE-2021-3502/ SUSE CVE CVE-2021-3502 page openSUSE Tumbleweed avahi-0.8-7.2 avahi-autoipd-0.8-7.2 avahi-compat-howl-devel-0.8-7.2 avahi-compat-mDNSResponder-devel-0.8-7.2 avahi-lang-0.8-7.2 avahi-utils-0.8-7.2 libavahi-client3-0.8-7.2 libavahi-client3-32bit-0.8-7.2 libavahi-common3-0.8-7.2 libavahi-common3-32bit-0.8-7.2 libavahi-core7-0.8-7.2 libavahi-devel-0.8-7.2 libavahi-libevent1-0.8-7.2 libdns_sd-0.8-7.2 libdns_sd-32bit-0.8-7.2 libhowl0-0.8-7.2 python36-avahi-0.8-7.2 python38-avahi-0.8-7.2 python39-avahi-0.8-7.2 avahi-0.8-7.2 as a component of openSUSE Tumbleweed avahi-autoipd-0.8-7.2 as a component of openSUSE Tumbleweed avahi-compat-howl-devel-0.8-7.2 as a component of openSUSE Tumbleweed avahi-compat-mDNSResponder-devel-0.8-7.2 as a component of openSUSE Tumbleweed avahi-lang-0.8-7.2 as a component of openSUSE Tumbleweed avahi-utils-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-client3-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-client3-32bit-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-common3-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-common3-32bit-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-core7-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-devel-0.8-7.2 as a component of openSUSE Tumbleweed libavahi-libevent1-0.8-7.2 as a component of openSUSE Tumbleweed libdns_sd-0.8-7.2 as a component of openSUSE Tumbleweed libdns_sd-32bit-0.8-7.2 as a component of openSUSE Tumbleweed libhowl0-0.8-7.2 as a component of openSUSE Tumbleweed python36-avahi-0.8-7.2 as a component of openSUSE Tumbleweed python38-avahi-0.8-7.2 as a component of openSUSE Tumbleweed python39-avahi-0.8-7.2 as a component of openSUSE Tumbleweed Avahi before 0.6.15 does not verify the sender identity of netlink messages to ensure that they come from the kernel instead of another process, which allows local users to spoof network changes to Avahi. CVE-2006-5461 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-5461.html CVE-2006-5461 https://bugzilla.suse.com/216219 SUSE Bug 216219 The Avahi daemon in Avahi before 0.6.20 allows attackers to cause a denial of service (exit) via empty TXT data over D-Bus, which triggers an assert error. CVE-2007-3372 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3372.html CVE-2007-3372 https://bugzilla.suse.com/287123 SUSE Bug 287123 The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure. CVE-2008-5081 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-5081.html CVE-2008-5081 https://bugzilla.suse.com/459007 SUSE Bug 459007 https://bugzilla.suse.com/646961 SUSE Bug 646961 avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. CVE-2017-6519 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-6519.html CVE-2017-6519 https://bugzilla.suse.com/1037001 SUSE Bug 1037001 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultID: CVE-2017-6519. Reason: This candidate is a duplicate of CVE-2017-6519. Notes: All CVE users should reference CVE-2017-6519 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2018-1000845 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000845.html CVE-2018-1000845 https://bugzilla.suse.com/1120281 SUSE Bug 1120281 avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product. CVE-2021-26720 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-26720.html CVE-2021-26720 https://bugzilla.suse.com/1180827 SUSE Bug 1180827 https://bugzilla.suse.com/1180865 SUSE Bug 1180865 https://bugzilla.suse.com/1181852 SUSE Bug 1181852 https://bugzilla.suse.com/1186412 SUSE Bug 1186412 https://bugzilla.suse.com/1205048 SUSE Bug 1205048 A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered. CVE-2021-3468 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3468.html CVE-2021-3468 https://bugzilla.suse.com/1184521 SUSE Bug 1184521 A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability. CVE-2021-3502 openSUSE Tumbleweed:avahi-0.8-7.2 openSUSE Tumbleweed:avahi-autoipd-0.8-7.2 openSUSE Tumbleweed:avahi-compat-howl-devel-0.8-7.2 openSUSE Tumbleweed:avahi-compat-mDNSResponder-devel-0.8-7.2 openSUSE Tumbleweed:avahi-lang-0.8-7.2 openSUSE Tumbleweed:avahi-utils-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-0.8-7.2 openSUSE Tumbleweed:libavahi-client3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-0.8-7.2 openSUSE Tumbleweed:libavahi-common3-32bit-0.8-7.2 openSUSE Tumbleweed:libavahi-core7-0.8-7.2 openSUSE Tumbleweed:libavahi-devel-0.8-7.2 openSUSE Tumbleweed:libavahi-libevent1-0.8-7.2 openSUSE Tumbleweed:libdns_sd-0.8-7.2 openSUSE Tumbleweed:libdns_sd-32bit-0.8-7.2 openSUSE Tumbleweed:libhowl0-0.8-7.2 openSUSE Tumbleweed:python36-avahi-0.8-7.2 openSUSE Tumbleweed:python38-avahi-0.8-7.2 openSUSE Tumbleweed:python39-avahi-0.8-7.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3502.html CVE-2021-3502 https://bugzilla.suse.com/1184846 SUSE Bug 1184846