SUSE has issued an advisory on January 25: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005065.html The CVE-2018-1000845 is actually a duplicate according to RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1426712 The RedHat bug has a link to the upstream fix. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11
really assigning now :-(
Assignee: bugsquad => shlomif
Ubuntu has issued an advisory for this on January 31: https://usn.ubuntu.com/3876-1/
Advisory: ======================== Updated avahi packages fix security vulnerability: It was found that avahi responds to unicast queries coming from outside of local network which may cause an information leak, such as disclosing the device type/model that responds to the request or the operating system. The mDNS response may also be used to amplify denial of service attacks against other networks as the response size is greater than the size of request (CVE-2017-6519). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6519 https://bugzilla.redhat.com/show_bug.cgi?id=1426712 https://usn.ubuntu.com/3876-1/ ======================== Updated packages in core/updates_testing: ======================== avahi-0.6.32-1.1.mga6 avahi-dnsconfd-0.6.32-1.1.mga6 avahi-x11-0.6.32-1.1.mga6 avahi-python-0.6.32-1.1.mga6 avahi-sharp-0.6.32-1.1.mga6 avahi-sharp-doc-0.6.32-1.1.mga6 libavahi-client3-0.6.32-1.1.mga6 libavahi-client-devel-0.6.32-1.1.mga6 libavahi-common3-0.6.32-1.1.mga6 libavahi-common-devel-0.6.32-1.1.mga6 libavahi-core7-0.6.32-1.1.mga6 libavahi-core-devel-0.6.32-1.1.mga6 libavahi-compat-libdns_sd1-0.6.32-1.1.mga6 libavahi-compat-libdns_sd-devel-0.6.32-1.1.mga6 libavahi-glib1-0.6.32-1.1.mga6 libavahi-glib-devel-0.6.32-1.1.mga6 libavahi-gobject0-0.6.32-1.1.mga6 libavahi-gobject-devel-0.6.32-1.1.mga6 libavahi-compat-howl0-0.6.32-1.1.mga6 libavahi-compat-howl-devel-0.6.32-1.1.mga6 libavahi-qt4_1-0.6.32-1.1.mga6 libavahi-qt4-devel-0.6.32-1.1.mga6 libavahi-ui-gtk3_0-0.6.32-1.1.mga6 libavahi-ui-gtk3-devel-0.6.32-1.1.mga6 libavahi-ui1-0.6.32-1.1.mga6 libavahi-ui-devel-0.6.32-1.1.mga6 libavahicore-gir0.6-0.6.32-1.1.mga6 libavahi-gir0.6-0.6.32-1.1.mga6 from avahi-0.6.32-1.1.mga6.src.rpm
Assignee: shlomif => qa-bugsWhiteboard: MGA6TOO => (none)
Version: Cauldron => 6
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Tried a few commands $ avahi-discover-standalone *** WARNING: Detected another IPv4 mDNS stack running on this host. This makes mDNS unreliable and is thus not recommended. *** *** WARNING: Detected another IPv6 mDNS stack running on this host. This makes mDNS unreliable and is thus not recommended. *** Joining mDNS multicast group on interface wlp2s2.IPv6 with address fe80::213:ceff:fecf:6f09. New relevant interface wlp2s2.IPv6 for mDNS. Joining mDNS multicast group on interface wlp2s2.IPv4 with address 192.168.2.125. New relevant interface wlp2s2.IPv4 for mDNS. Joining mDNS multicast group on interface enp2s8.IPv6 with address fe80::20a:e4ff:fec3:7339. New relevant interface enp2s8.IPv6 for mDNS. Joining mDNS multicast group on interface enp2s8.IPv4 with address 192.168.2.6. New relevant interface enp2s8.IPv4 for mDNS. Network interface enumeration completed. and some more.... $ avahi-discover Gtk-Message: Failed to load module "canberra-gtk-module" Browsing domain 'local' on -1.-1 ... Browsing domain 'fritz.box' on -1.-1 ... Browsing domain '<mylocaldomain>' on -1.-1 ... $ avahi-browse-domains + n/a n/a fritz.box + n/a n/a <mylocaldomain> $ avahi-resolve-host-name <desktopFQDN> <desktopFQDN> 192.168.2.1 All looks OK.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0081.html
Status: NEW => RESOLVEDResolution: (none) => FIXED