Bug 24251 - avahi new security issue CVE-2017-6519
Summary: avahi new security issue CVE-2017-6519
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-28 01:31 CET by David Walser
Modified: 2019-02-14 09:40 CET (History)
4 users (show)

See Also:
Source RPM: avahi-0.7-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-01-28 01:31:24 CET
SUSE has issued an advisory on January 25:
http://lists.suse.com/pipermail/sle-security-updates/2019-January/005065.html

The CVE-2018-1000845 is actually a duplicate according to RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=1426712

The RedHat bug has a link to the upstream fix.

Mageia 6 is also affected.
David Walser 2019-01-28 01:31:31 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-30 12:40:02 CET
Assigning to the registered maintainer.

CC: (none) => marja11

Comment 2 Marja Van Waes 2019-01-30 12:45:16 CET
really assigning now :-(

Assignee: bugsquad => shlomif

Comment 3 David Walser 2019-02-01 19:15:19 CET
Ubuntu has issued an advisory for this on January 31:
https://usn.ubuntu.com/3876-1/
Comment 4 David Walser 2019-02-02 23:16:27 CET
Advisory:
========================

Updated avahi packages fix security vulnerability:

It was found that avahi responds to unicast queries coming from outside of
local network which may cause an information leak, such as disclosing the
device type/model that responds to the request or the operating system. The
mDNS response may also be used to amplify denial of service attacks against
other networks as the response size is greater than the size of request
(CVE-2017-6519).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6519
https://bugzilla.redhat.com/show_bug.cgi?id=1426712
https://usn.ubuntu.com/3876-1/
========================

Updated packages in core/updates_testing:
========================
avahi-0.6.32-1.1.mga6
avahi-dnsconfd-0.6.32-1.1.mga6
avahi-x11-0.6.32-1.1.mga6
avahi-python-0.6.32-1.1.mga6
avahi-sharp-0.6.32-1.1.mga6
avahi-sharp-doc-0.6.32-1.1.mga6
libavahi-client3-0.6.32-1.1.mga6
libavahi-client-devel-0.6.32-1.1.mga6
libavahi-common3-0.6.32-1.1.mga6
libavahi-common-devel-0.6.32-1.1.mga6
libavahi-core7-0.6.32-1.1.mga6
libavahi-core-devel-0.6.32-1.1.mga6
libavahi-compat-libdns_sd1-0.6.32-1.1.mga6
libavahi-compat-libdns_sd-devel-0.6.32-1.1.mga6
libavahi-glib1-0.6.32-1.1.mga6
libavahi-glib-devel-0.6.32-1.1.mga6
libavahi-gobject0-0.6.32-1.1.mga6
libavahi-gobject-devel-0.6.32-1.1.mga6
libavahi-compat-howl0-0.6.32-1.1.mga6
libavahi-compat-howl-devel-0.6.32-1.1.mga6
libavahi-qt4_1-0.6.32-1.1.mga6
libavahi-qt4-devel-0.6.32-1.1.mga6
libavahi-ui-gtk3_0-0.6.32-1.1.mga6
libavahi-ui-gtk3-devel-0.6.32-1.1.mga6
libavahi-ui1-0.6.32-1.1.mga6
libavahi-ui-devel-0.6.32-1.1.mga6
libavahicore-gir0.6-0.6.32-1.1.mga6
libavahi-gir0.6-0.6.32-1.1.mga6

from avahi-0.6.32-1.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs

David Walser 2019-02-02 23:16:33 CET

Version: Cauldron => 6

Comment 5 Herman Viaene 2019-02-06 14:58:41 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Tried a few commands
$ avahi-discover-standalone 
*** WARNING: Detected another IPv4 mDNS stack running on this host. This makes mDNS unreliable and is thus not recommended. ***
*** WARNING: Detected another IPv6 mDNS stack running on this host. This makes mDNS unreliable and is thus not recommended. ***
Joining mDNS multicast group on interface wlp2s2.IPv6 with address fe80::213:ceff:fecf:6f09.
New relevant interface wlp2s2.IPv6 for mDNS.
Joining mDNS multicast group on interface wlp2s2.IPv4 with address 192.168.2.125.
New relevant interface wlp2s2.IPv4 for mDNS.
Joining mDNS multicast group on interface enp2s8.IPv6 with address fe80::20a:e4ff:fec3:7339.
New relevant interface enp2s8.IPv6 for mDNS.
Joining mDNS multicast group on interface enp2s8.IPv4 with address 192.168.2.6.
New relevant interface enp2s8.IPv4 for mDNS.
Network interface enumeration completed.
and some more....

$ avahi-discover
Gtk-Message: Failed to load module "canberra-gtk-module"
Browsing domain 'local' on -1.-1 ...
Browsing domain 'fritz.box' on -1.-1 ...
Browsing domain '<mylocaldomain>' on -1.-1 ...

$ avahi-browse-domains 
+  n/a  n/a fritz.box
+  n/a  n/a <mylocaldomain>

$ avahi-resolve-host-name <desktopFQDN>
<desktopFQDN> 192.168.2.1

All looks OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Dave Hodgins 2019-02-14 08:02:20 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-02-14 09:40:22 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0081.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.