Fedora has issued an advisory today (April 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VCTAFULPERZVYFFVHM7IEYXYRNHQDJAU/ Mageia 8 is also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO
Assigning this globally as no one packager is in evidence for avahi.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Prevent crashes on some invalid DBus calls. (CVE-2023-1981) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1981 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VCTAFULPERZVYFFVHM7IEYXYRNHQDJAU/ ======================== Updated packages in core/updates_testing: ======================== avahi-0.8-6.3.mga8 avahi-dnsconfd-0.8-6.3.mga8 avahi-sharp-0.8-6.3.mga8 avahi-sharp-doc-0.8-6.3.mga8 avahi-x11-0.8-6.3.mga8 lib(64)avahicore-gir0.6-0.8-6.3.mga8 lib(64)avahi-client3-0.8-6.3.mga8 lib(64)avahi-client-devel-0.8-6.3.mga8 lib(64)avahi-common3-0.8-6.3.mga8 lib(64)avahi-common-devel-0.8-6.3.mga8 lib(64)avahi-compat-howl0-0.8-6.3.mga8 lib(64)avahi-compat-howl-devel-0.8-6.3.mga8 lib(64)avahi-compat-libdns_sd1-0.8-6.3.mga8 lib(64)avahi-compat-libdns_sd-devel-0.8-6.3.mga8 lib(64)avahi-core7-0.8-6.3.mga8 lib(64)avahi-core-devel-0.8-6.3.mga8 lib(64)avahi-gir0.6-0.8-6.3.mga8 lib(64)avahi-glib1-0.8-6.3.mga8 lib(64)avahi-glib-devel-0.8-6.3.mga8 lib(64)avahi-gobject0-0.8-6.3.mga8 lib(64)avahi-gobject-devel-0.8-6.3.mga8 lib(64)avahi-libevent1-0.8-6.3.mga8 lib(64)avahi-libevent-devel-0.8-6.3.mga8 lib(64)avahi-qt5_1-0.8-6.3.mga8 lib(64)avahi-qt5-devel-0.8-6.3.mga8 lib(64)avahi-ui-gtk3_0-0.8-6.3.mga8 lib(64)avahi-ui-gtk3-devel-0.8-6.3.mga8 from SRPM: avahi-0.8-6.3.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 8CVE: (none) => CVE-2023-1981Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salgueroStatus comment: Patch available from Fedora => (none)
mageia8, x86_64 Not much information about this vulnerability online. Installed everything before updating then used qarepo and MageiaUpdate to update all the packages. It looks like the service avahi-daemon was restarted on installation. Tried some commands. $ avahi-resolve-host-name localhost.localdomain localhost.localdomain 127.0.0.1 $ avahi-browse --all -t + eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus _ipps._tcp local + eno1 IPv4 HP Photosmart 5520 @ canopus _ipps._tcp local + lo IPv4 HP Officejet 100 Mobile l411 @ canopus _ipps._tcp local + lo IPv4 HP Photosmart 5520 @ canopus _ipps._tcp local + eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus _printer._tcp local + eno1 IPv4 HP Photosmart 5520 @ canopus _printer._tcp local + lo IPv4 HP Officejet 100 Mobile l411 @ canopus _printer._tcp local + lo IPv4 HP Photosmart 5520 @ canopus _printer._tcp local + eno1 IPv4 HP Officejet 100 Mobile l411 @ canopus _ipp._tcp local + eno1 IPv4 HP Photosmart 5520 @ canopus _ipp._tcp local + lo IPv4 HP Officejet 100 Mobile l411 @ canopus _ipp._tcp local + lo IPv4 HP Photosmart 5520 @ canopus _ipp._tcp local + eno1 IPv4 canopus _ssh._tcp local + eno1 IPv4 Remote Access on canopus _ssh._tcp local + lo IPv4 canopus _ssh._tcp local + lo IPv4 Remote Access on canopus _ssh._tcp local + eno1 IPv4 Remote Access on canopus _sftp-ssh._tcp local + eno1 IPv4 Remote Access on gomeisa _sftp-ssh._tcp local + lo IPv4 Remote Access on canopus _sftp-ssh._tcp local + eno1 IPv4 Photosmart 5520 series [DF8761] _ipp._tcp local + eno1 IPv4 gomeisa _ssh._tcp local + eno1 IPv4 Remote Access on gomeisa _ssh._tcp local + eno1 IPv4 spica _http._tcp local + eno1 IPv4 Photosmart 5520 series [DF8761] _pdl-datastream._tcp local + eno1 IPv4 Photosmart 5520 series [DF8761] _http._tcp local + eno1 IPv4 Photosmart 5520 series [DF8761] _scanner._tcp local + eno1 IPv4 Photosmart 5520 series [DF8761] _http-alt._tcp local + eno1 IPv4 Photosmart 5520 series [DF8761] _uscan._tcp local $ ls /usr/bin | grep avahi avahi-browse* avahi-browse-domains@ avahi-discover-standalone* avahi-publish* avahi-publish-address@ avahi-publish-service@ avahi-resolve* avahi-resolve-address@ avahi-resolve-host-name@ avahi-set-host-name* $ avahi-discover-standalone This lists a number of devices and pops up a widget 'Avahi discovery' which displays the list of devices against the interface name. Clicking on any entry gives more information about the device. The other commands require more knowledge so this is as far as it goes.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0158.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED