USN-696-1: Avahi vulnerabilities

18 December 2008

avahi vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 7.10
  • Ubuntu 6.06 LTS

Software Description

  • avahi

Details

Emanuele Aina discovered that Avahi did not properly validate its input when processing data over D-Bus. A local attacker could send an empty TXT message via D-Bus and cause a denial of service (failed assertion). This issue only affected Ubuntu 6.06 LTS. (CVE-2007-3372)

Hugo Dias discovered that Avahi did not properly verify its input when processing mDNS packets. A remote attacker could send a crafted mDNS packet and cause a denial of service (assertion failure). (CVE-2008-5081)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
avahi-daemon - 0.6.23-2ubuntu2.1
Ubuntu 8.04 LTS
avahi-daemon - 0.6.22-2ubuntu4.1
Ubuntu 7.10
avahi-daemon - 0.6.20-2ubuntu3.4
Ubuntu 6.06 LTS
avahi-daemon - 0.6.10-0ubuntu3.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References