| Package | avahi |
|---|---|
| Version | 0.6.31-5+deb8u3 (jessie), 0.6.32-2+deb9u3 (stretch), 0.7-4+deb10u4 (buster) |
| Related CVEs | CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 |
Multiple vulnerabilities have been fixed in the service discovery system Avahi.
Additionally, a GetAlternativeServiceName regression introduced by the CVE-2023-1981 fix in DLA-3414-1 (buster) and ELA-844-1 (jessie, stretch) has been fixed.
CVE-2023-38469
Reachable assertion in avahi_dns_packet_append_record
CVE-2023-38470
Reachable assertion in avahi_escape_label
CVE-2023-38471
Reachable assertion in dbus_set_host_name
CVE-2023-38472
Reachable assertion in avahi_rdata_parse
CVE-2023-38473
Reachable assertion in avahi_alternative_host_name
For Debian 10 buster, these problems have been fixed in version 0.7-4+deb10u4.
For Debian 8 jessie, these problems have been fixed in version 0.6.31-5+deb8u3.
For Debian 9 stretch, these problems have been fixed in version 0.6.32-2+deb9u3.
We recommend that you upgrade your avahi packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.