[USN-6487-1] Avahi vulnerabilities

Nick Galanis nick.galanis at canonical.com
Mon Nov 20 17:04:18 UTC 2023


==========================================================================
Ubuntu Security Notice USN-6487-1
November 20, 2023

avahi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Avahi could be made to crash if it received specially crafted
input.

Software Description:
- avahi: IPv4LL network address configuration daemon

Details:

Evgeny Vereshchagin discovered that Avahi contained several reachable
assertions, which could lead to intentional assertion failures when
specially crafted user input was given. An attacker could possibly use
this issue to cause a denial of service. (CVE-2023-38469, CVE-2023-38470,
CVE-2023-38471, CVE-2023-38472, CVE-2023-38473)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
   avahi-daemon                    0.8-10ubuntu1.1
   libavahi-client3                0.8-10ubuntu1.1
   libavahi-common3                0.8-10ubuntu1.1
   libavahi-core7                  0.8-10ubuntu1.1

Ubuntu 23.04:
   avahi-daemon                    0.8-6ubuntu1.23.04.2
   libavahi-client3                0.8-6ubuntu1.23.04.2
   libavahi-common3                0.8-6ubuntu1.23.04.2
   libavahi-core7                  0.8-6ubuntu1.23.04.2

Ubuntu 22.04 LTS:
   avahi-daemon                    0.8-5ubuntu5.2
   libavahi-client3                0.8-5ubuntu5.2
   libavahi-common3                0.8-5ubuntu5.2
   libavahi-core7                  0.8-5ubuntu5.2

Ubuntu 20.04 LTS:
   avahi-daemon                    0.7-4ubuntu7.3
   libavahi-client3                0.7-4ubuntu7.3
   libavahi-common3                0.7-4ubuntu7.3
   libavahi-core7                  0.7-4ubuntu7.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
   avahi-daemon                    0.7-3.1ubuntu1.3+esm2
   libavahi-client3                0.7-3.1ubuntu1.3+esm2
   libavahi-common3                0.7-3.1ubuntu1.3+esm2
   libavahi-core7                  0.7-3.1ubuntu1.3+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
   avahi-daemon                    0.6.32~rc+dfsg-1ubuntu2.3+esm3
   libavahi-client3                0.6.32~rc+dfsg-1ubuntu2.3+esm3
   libavahi-common3                0.6.32~rc+dfsg-1ubuntu2.3+esm3
   libavahi-core7                  0.6.32~rc+dfsg-1ubuntu2.3+esm3

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
   avahi-daemon                    0.6.31-4ubuntu1.3+esm3
   libavahi-client3                0.6.31-4ubuntu1.3+esm3
   libavahi-common3                0.6.31-4ubuntu1.3+esm3
   libavahi-core7                  0.6.31-4ubuntu1.3+esm3

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6487-1
   CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472,
   CVE-2023-38473

Package Information:
   https://launchpad.net/ubuntu/+source/avahi/0.8-10ubuntu1.1
   https://launchpad.net/ubuntu/+source/avahi/0.8-6ubuntu1.23.04.2
   https://launchpad.net/ubuntu/+source/avahi/0.8-5ubuntu5.2
   https://launchpad.net/ubuntu/+source/avahi/0.7-4ubuntu7.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20231120/a38c9c2c/attachment.sig>


More information about the ubuntu-security-announce mailing list