Overview

File _patchinfo of Package patchinfo.42244

<patchinfo incident="42244">
  <issue tracker="cve" id="2021-3468"/>
  <issue tracker="cve" id="2024-52616"/>
  <issue tracker="cve" id="2025-68276"/>
  <issue tracker="cve" id="2021-26720"/>
  <issue tracker="cve" id="2018-1000845"/>
  <issue tracker="cve" id="2025-68468"/>
  <issue tracker="cve" id="2024-52615"/>
  <issue tracker="cve" id="2023-1981"/>
  <issue tracker="cve" id="2025-68471"/>
  <issue tracker="bnc" id="1233420">VUL-0: CVE-2024-52616: avahi: Avahi Wide-Area DNS Predictable Transaction IDs</issue>
  <issue tracker="bnc" id="1184521">VUL-0: CVE-2021-3468: avahi: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket</issue>
  <issue tracker="bnc" id="1163683">avahi: spurious name conflicts in case of reflector</issue>
  <issue tracker="bnc" id="1085255">VUL-1: avahi: remote denial of service (out of memory abort) crashes</issue>
  <issue tracker="bnc" id="1180827">VUL-0: CVE-2021-26720: avahi: outdated and insecure if-up script avahi-daemon-check-dns.sh</issue>
  <issue tracker="bnc" id="1233421">VUL-0: CVE-2024-52615: avahi: Avahi Wide-Area DNS Uses Constant Source Port</issue>
  <issue tracker="bnc" id="1154063">AUDIT-FIND: avahi-autoipd: LPE via recursive chown in %post</issue>
  <issue tracker="bnc" id="1256498">VUL-0: CVE-2025-68276: avahi: reachable assertion in `avahi_wide_area_scan_cache` can lead to crash of avahi-daemon</issue>
  <issue tracker="bnc" id="1120281">VUL-0: CVE-2018-1000845: avahi: DNS amplification and reflection to spoofed addresses</issue>
  <issue tracker="bnc" id="1256500">VUL-0: CVE-2025-68471: avahi: reachable assertion in `lookup_start` can lead to crash of avahi-daemon</issue>
  <issue tracker="bnc" id="1210328">VUL-0: CVE-2023-1981: avahi: avahi-daemon can be crashed via DBus</issue>
  <issue tracker="bnc" id="1256499">VUL-0: CVE-2025-68468: avahi: reachable assertion in `lookup_multicast_callback` can lead to crash of avahi-daemon</issue>
  <packager>qzhao</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for avahi</summary>
  <description>This update for avahi fixes the following issues:

Security fixes:

- CVE-2018-1000845: avahi: DNS amplification and reflection to spoofed addresses (bsc#1120281).
- CVE-2021-26720: avahi: outdated and insecure if-up script avahi-daemon-check-dns.sh (bsc#1180827).
- CVE-2021-3468: avahi: local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket (bsc#1184521).
- CVE-2023-1981: avahi: avahi-daemon can be crashed via DBus (bsc#1210328).
- CVE-2024-52615: avahi: Avahi Wide-Area DNS Uses Constant Source Port (bsc#1233421).
- CVE-2024-52616: avahi: Avahi Wide-Area DNS Predictable Transaction IDs (bsc#1233420).
- CVE-2025-68276: avahi: reachable assertion in `avahi_wide_area_scan_cache` can lead to crash of avahi-daemon (bsc#1256498).
- CVE-2025-68468: avahi: reachable assertion in `lookup_multicast_callback` can lead to crash of avahi-daemon (bsc#1256499).
- CVE-2025-68471: avahi: reachable assertion in `lookup_start` can lead to crash of avahi-daemon (bsc#1256500).

Other fixes:

- LPE via recursive chown in %post (bsc#1154063).
- remote denial of service (out of memory abort) crashes (bsc#1085255).
- spurious name conflicts in case of reflector (bsc#1163683).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places