[ubuntu/plucky-proposed] avahi 0.8-14ubuntu1 (Accepted)
Mateus Rodrigues de Morais
mateus.morais at canonical.com
Fri Dec 13 19:21:16 UTC 2024
avahi (0.8-14ubuntu1) plucky; urgency=medium
* Merge with Debian unstable (LP: #2090963). Remaining changes:
- Disable lto, see https://bugzilla.redhat.com/show_bug.cgi?id=1907727
- avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
avahi-client-fix-resource-leak.patch: Issues discovered by static
analysis (Upstream pull request #202)
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-2.patch: bail out when escaped
labels can't fit into ret
+ CVE-2023-38470
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-2.patch: core: return errors from
avahi_server_set_host_name properly
+ CVE-2023-38471
* Dropped changes, included in Debian:
- SECURITY UPDATE: Reachable assertions exist in server functions of
avahi-core
+ debian/patches/CVE-2023-38469-1.patch: reject overly long TXT
resource records
+ debian/patches/CVE-2023-38469-2.patch: tests: pass overly long TXT
resource records
+ CVE-2023-38469
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-1.patch: Ensure each label is at least
one byte long
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-1.patch: core: extract host name using
avahi_unescape_label()
- SECURITY UPDATE: Reachable assertions exist in dbus functions in
avahi-daemon
+ debian/patches/CVE-2023-38472.patch: core: make sure there is rdata
to process before parsing it
+ CVE-2023-38472
- SECURITY UPDATE: Reachable assertions exist in alternative functions
in avahi-common
+ debian/patches/CVE-2023-38473.patch: common: derive alternative host
name from its unescaped version
+ CVE-2023-38473
* Dropped changes, no longer needed:
- avahi-autoipd: Demote isc-dhcp-client from Recommends to Suggests.
Debian dropped isc-dhcp-client from Recommends altogether.
avahi (0.8-14) unstable; urgency=medium
[ Simon McVittie ]
* d/upstream/metadata: Add
* d/watch: Use Github releases API
(Closes: #1059615)
* d/watch.devel: Add a secondary watch file that downloads release
candidates.
This is not used by default by infrastructure (we don't necessarily want
to package every prerelease), but can be used via
`uscan --watchfile debian/watch.devel`.
Thanks to Marc Leeman
* d/gbp.conf: Update packaging branch to debian/latest as per DEP-14
* d/salsa-ci.yml: Add.
Disable the cross-build test for now, this will need some more thought
(perhaps building with nogir and/or nopython).
[ Michael Biebl ]
* Remove obsolete maintscript code from pre oldstable
* Cleanup runtime / state directories more thoroughly on package purge.
Those directories do not contain any valuable data that should be
preserved beyond a package purge. So simplify the cleanup and do it more
thoroughly by just removing all runtime and state files.
While at it, correct an old changelog entry which referenced a wrong
path. (Closes: #849454, #1051442)
* Bump Standards-Version to 4.7.0
* Drop isc-dhcp-client Recommends from avahi-autoipd.
ISC DHCP client is no longer actively maintained, so stop recommending
it. Still ship the integration hooks though for the time being.
(Closes: #1064500)
* avahi-discover: Fix invalid escape sequences.
Patch cherry-picked from upstream Git. (Closes: #1085347)
* core: make sure there is rdata to process before parsing it.
Patch cherry-picked from upstream Git.
(CVE-2023-38472, Closes: #1054879)
* core: reject overly long TXT resource records.
Patches cherry-picked from upstream Git.
(CVE-2023-38469, Closes: #1054876)
* Ensure each label is at least one byte long.
Patch cherry-picked from upstream Git.
(CVE-2023-38470, Closes: #1054877)
* core: extract host name using avahi_unescape_label()
Patch cherry-picked from upstream Git.
(CVE-2023-38471, Closes: #1054878)
* common: derive alternative host name from its unescaped version.
Patch cherry-picked from upstream Git.
(CVE-2023-38473, Closes: #1054880)
Date: Tue, 03 Dec 2024 17:57:06 -0300
Changed-By: Mateus Rodrigues de Morais <mateus.morais at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Nick Rosbrook <nick.rosbrook at canonical.com>
https://launchpad.net/ubuntu/+source/avahi/0.8-14ubuntu1
-------------- next part --------------
Format: 1.8
Date: Tue, 03 Dec 2024 17:57:06 -0300
Source: avahi
Built-For-Profiles: noudeb
Architecture: source
Version: 0.8-14ubuntu1
Distribution: plucky
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Mateus Rodrigues de Morais <mateus.morais at canonical.com>
Closes: 849454 1051442 1054876 1054877 1054878 1054879 1054880 1059615 1064500 1085347
Launchpad-Bugs-Fixed: 2090963
Changes:
avahi (0.8-14ubuntu1) plucky; urgency=medium
.
* Merge with Debian unstable (LP: #2090963). Remaining changes:
- Disable lto, see https://bugzilla.redhat.com/show_bug.cgi?id=1907727
- avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
avahi-client-fix-resource-leak.patch: Issues discovered by static
analysis (Upstream pull request #202)
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-2.patch: bail out when escaped
labels can't fit into ret
+ CVE-2023-38470
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-2.patch: core: return errors from
avahi_server_set_host_name properly
+ CVE-2023-38471
* Dropped changes, included in Debian:
- SECURITY UPDATE: Reachable assertions exist in server functions of
avahi-core
+ debian/patches/CVE-2023-38469-1.patch: reject overly long TXT
resource records
+ debian/patches/CVE-2023-38469-2.patch: tests: pass overly long TXT
resource records
+ CVE-2023-38469
- SECURITY UPDATE: Reachable assertions exist in domain functions in
avahi-common
+ debian/patches/CVE-2023-38470-1.patch: Ensure each label is at least
one byte long
- SECURITY UPDATE: Reachable assertions exist in server functions in
avahi-core
+ debian/patches/CVE-2023-38471-1.patch: core: extract host name using
avahi_unescape_label()
- SECURITY UPDATE: Reachable assertions exist in dbus functions in
avahi-daemon
+ debian/patches/CVE-2023-38472.patch: core: make sure there is rdata
to process before parsing it
+ CVE-2023-38472
- SECURITY UPDATE: Reachable assertions exist in alternative functions
in avahi-common
+ debian/patches/CVE-2023-38473.patch: common: derive alternative host
name from its unescaped version
+ CVE-2023-38473
* Dropped changes, no longer needed:
- avahi-autoipd: Demote isc-dhcp-client from Recommends to Suggests.
Debian dropped isc-dhcp-client from Recommends altogether.
.
avahi (0.8-14) unstable; urgency=medium
.
[ Simon McVittie ]
* d/upstream/metadata: Add
* d/watch: Use Github releases API
(Closes: #1059615)
* d/watch.devel: Add a secondary watch file that downloads release
candidates.
This is not used by default by infrastructure (we don't necessarily want
to package every prerelease), but can be used via
`uscan --watchfile debian/watch.devel`.
Thanks to Marc Leeman
* d/gbp.conf: Update packaging branch to debian/latest as per DEP-14
* d/salsa-ci.yml: Add.
Disable the cross-build test for now, this will need some more thought
(perhaps building with nogir and/or nopython).
.
[ Michael Biebl ]
* Remove obsolete maintscript code from pre oldstable
* Cleanup runtime / state directories more thoroughly on package purge.
Those directories do not contain any valuable data that should be
preserved beyond a package purge. So simplify the cleanup and do it more
thoroughly by just removing all runtime and state files.
While at it, correct an old changelog entry which referenced a wrong
path. (Closes: #849454, #1051442)
* Bump Standards-Version to 4.7.0
* Drop isc-dhcp-client Recommends from avahi-autoipd.
ISC DHCP client is no longer actively maintained, so stop recommending
it. Still ship the integration hooks though for the time being.
(Closes: #1064500)
* avahi-discover: Fix invalid escape sequences.
Patch cherry-picked from upstream Git. (Closes: #1085347)
* core: make sure there is rdata to process before parsing it.
Patch cherry-picked from upstream Git.
(CVE-2023-38472, Closes: #1054879)
* core: reject overly long TXT resource records.
Patches cherry-picked from upstream Git.
(CVE-2023-38469, Closes: #1054876)
* Ensure each label is at least one byte long.
Patch cherry-picked from upstream Git.
(CVE-2023-38470, Closes: #1054877)
* core: extract host name using avahi_unescape_label()
Patch cherry-picked from upstream Git.
(CVE-2023-38471, Closes: #1054878)
* common: derive alternative host name from its unescaped version.
Patch cherry-picked from upstream Git.
(CVE-2023-38473, Closes: #1054880)
Checksums-Sha1:
d2b8a07e17d074cf15e01acda32ab3ab022e7c22 4150 avahi_0.8-14ubuntu1.dsc
22e13e9cfdbeb210a112cbc1a916e1e91eb45ab2 50816 avahi_0.8-14ubuntu1.debian.tar.xz
e45427d684ce6ff1ffe130d342a6e56d4ba97012 10318 avahi_0.8-14ubuntu1_source.buildinfo
Checksums-Sha256:
eee2383f0d5bce1a5538e83bcf7318114a9d669b7aa851e5c089bbb79ed6489b 4150 avahi_0.8-14ubuntu1.dsc
ef652b68d9666f69d73adb238756540aa89b1dc8199a669f5d16baba89efdb3a 50816 avahi_0.8-14ubuntu1.debian.tar.xz
dd0d7e806c8c14913d9adba5eb6869aaa8ce08b0bf77bc97fa34cfba88d4bc22 10318 avahi_0.8-14ubuntu1_source.buildinfo
Files:
f2821eaeae5304f3095e6efa4d069ff9 4150 net optional avahi_0.8-14ubuntu1.dsc
88e5e17a6824721750531af37f210a0d 50816 net optional avahi_0.8-14ubuntu1.debian.tar.xz
1abda1cb08b2993dc909b5753ab0d1df 10318 net optional avahi_0.8-14ubuntu1_source.buildinfo
Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>
Vcs-Git: https://git.launchpad.net/~mateus-morais/ubuntu/+source/avahi
Vcs-Git-Commit: cbf593134c0ac8bb998bea7bac9d5fd4a3b1a679
Vcs-Git-Ref: refs/heads/merge-0.8-14-plucky
More information about the plucky-changes
mailing list