Bug 34887 - avahi new security issues CVE-2025-68276, CVE-2025-68468 and CVE-2025-68471
Summary: avahi new security issues CVE-2025-68276, CVE-2025-68468 and CVE-2025-68471
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 35044
  Show dependency treegraph
 
Reported: 2025-12-22 10:07 CET by Nicolas Salguero
Modified: 2026-01-23 01:12 CET (History)
3 users (show)

See Also:
Source RPM: avahi-0.8-10.2.mga9.src.rpm
CVE: CVE-2025-68276, CVE-2025-68468, CVE-2025-68471
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-12-22 10:08:48 CET

Source RPM: (none) => avahi-0.8-16.mga10.src.rpm, avahi-0.8-10.2.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-59529
Status comment: (none) => Candidate fix available

Comment 1 Lewis Smith 2025-12-23 21:25:27 CET 
Thank you for the fix URL.

Assigning globally as various packagers touch this.

Assignee: bugsquad => pkg-bugs

Comment 2 Marja Van Waes 2025-12-31 14:05:27 CET 
Adding the flag: affects_mga9 +
to all bugs with MGA9TOO on the whiteboard, without removing MGA9TOO (for now).

Flags: (none) => affects_mga9+

Nicolas Salguero 2026-01-19 15:35:27 CET

CVE: CVE-2025-59529 => CVE-2025-59529, CVE-2025-68276, CVE-2025-68468, CVE-2025-68471
Summary: avahi new security issue CVE-2025-59529 => avahi new security issues CVE-2025-59529, CVE-2025-68276, CVE-2025-68468 and CVE-2025-68471
Status comment: Candidate fix available => Candidate fix available, fixes available from upstream

Comment 3 Nicolas Salguero 2026-01-19 15:35:55 CET 
openSUSE has issued an advisory on January 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DR2CTF5XR6GVX3JYIAAO3ULJNUZDGBVS/
Comment 4 Nicolas Salguero 2026-01-19 15:54:07 CET 
avahi-0.8-17.mga10 fixes CVE-2025-68276, CVE-2025-68468 and CVE-2025-68471 but not CVE-2025-59529.

Source RPM: avahi-0.8-16.mga10.src.rpm, avahi-0.8-10.2.mga9.src.rpm => avahi-0.8-17.mga10.src.rpm, avahi-0.8-10.2.mga9.src.rpm

Comment 5 Nicolas Salguero 2026-01-20 15:29:03 CET 
Ubuntu has issued an advisory on January 19:
https://ubuntu.com/security/notices/USN-7967-1
Nicolas Salguero 2026-01-21 09:26:50 CET

Blocks: (none) => 35044

Comment 6 Nicolas Salguero 2026-01-21 09:29:13 CET 
CVE-2025-59529 in bug 35044

Flags: affects_mga9+ => (none)
Summary: avahi new security issues CVE-2025-59529, CVE-2025-68276, CVE-2025-68468 and CVE-2025-68471 => avahi new security issues CVE-2025-68276, CVE-2025-68468 and CVE-2025-68471
CVE: CVE-2025-59529, CVE-2025-68276, CVE-2025-68468, CVE-2025-68471 => CVE-2025-68276, CVE-2025-68468, CVE-2025-68471
Source RPM: avahi-0.8-17.mga10.src.rpm, avahi-0.8-10.2.mga9.src.rpm => avahi-0.8-10.2.mga9.src.rpm
Status comment: Candidate fix available, fixes available from upstream => fixes available from upstream
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 7 Nicolas Salguero 2026-01-21 09:51:56 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Avahi has a reachable assertion in avahi_wide_area_scan_cache. (CVE-2025-68276)

Avahi has a reachable assertion in lookup_multicast_callback. (CVE-2025-68468)

Avahi has a reachable assertion in lookup_start. (CVE-2025-68471)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DR2CTF5XR6GVX3JYIAAO3ULJNUZDGBVS/
https://ubuntu.com/security/notices/USN-7967-1
========================

Updated packages in core/updates_testing:
========================
avahi-0.8-10.3.mga9
avahi-dnsconfd-0.8-10.3.mga9
avahi-sharp-0.8-10.3.mga9
avahi-sharp-doc-0.8-10.3.mga9
avahi-x11-0.8-10.3.mga9
lib(64)avahi-client-devel-0.8-10.3.mga9
lib(64)avahi-client3-0.8-10.3.mga9
lib(64)avahi-common-devel-0.8-10.3.mga9
lib(64)avahi-common3-0.8-10.3.mga9
lib(64)avahi-compat-howl-devel-0.8-10.3.mga9
lib(64)avahi-compat-howl0-0.8-10.3.mga9
lib(64)avahi-compat-libdns_sd-devel-0.8-10.3.mga9
lib(64)avahi-compat-libdns_sd1-0.8-10.3.mga9
lib(64)avahi-core-devel-0.8-10.3.mga9
lib(64)avahi-core7-0.8-10.3.mga9
lib(64)avahi-gir0.6-0.8-10.3.mga9
lib(64)avahi-glib-devel-0.8-10.3.mga9
lib(64)avahi-glib1-0.8-10.3.mga9
lib(64)avahi-gobject-devel-0.8-10.3.mga9
lib(64)avahi-gobject0-0.8-10.3.mga9
lib(64)avahi-libevent-devel-0.8-10.3.mga9
lib(64)avahi-libevent1-0.8-10.3.mga9
lib(64)avahi-qt5-devel-0.8-10.3.mga9
lib(64)avahi-qt5_1-0.8-10.3.mga9
lib(64)avahi-ui-gtk3-devel-0.8-10.3.mga9
lib(64)avahi-ui-gtk3_0-0.8-10.3.mga9
lib(64)avahicore-gir0.6-0.8-10.3.mga9

from SRPM:
avahi-0.8-10.3.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Status comment: fixes available from upstream => (none)

Comment 8 Herman Viaene 2026-01-21 15:51:20 CET 
MGA9-server 64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 32363 Comment 6 for testing.
Used the commands 
avahi-discover-standalone
and
avahi-browse --all -t
Both providing sensible output.
OK for me.

CC: (none) => herman.viaene

Herman Viaene 2026-01-21 15:52:02 CET

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

katnatek 2026-01-21 23:41:22 CET

Keywords: (none) => advisory

Comment 9 Thomas Andrews 2026-01-22 13:36:31 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Mageia Robot 2026-01-23 01:12:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0016.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.