https://nvd.nist.gov/vuln/detail/CVE-2017-6519 "avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809." https://bugzilla.redhat.com/show_bug.cgi?id=1426712 "It was found that avahi responds to unicast queries coming from outside of local network which may cause an information leak, such as disclosing the device type/model that responds to the request or the operating system. The mDNS response may also be used to amplify denial of service attacks against other networks as the response size is greater than the size of request. External References: https://www.kb.cert.org/vuls/id/550620"
Upstream Bug: https://github.com/lathiat/avahi/issues/145
Update: "Drop legacy unicast queries from address not on local link" https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f https://github.com/lathiat/avahi/compare/v0.7...master net-dns/avahi: | a | | | m | | | d x | | | 6 8 | | | 4 6 | u | | a a a p s | | | n | | l m r i p h m s p f m f | e u s | r | p d a m a p c x p 6 3 a b i b | a s l | e | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o ----------+---------------------------------+-------+------- 0.6.32 | o o o o o o o o + o o o o o o o | 5 # 0 | gentoo 0.7-r1 | + + + + + + + + + o + o + ~ ~ o | 6 o | gentoo 0.7-r2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ ~ ~ o | 6 o | gentoo Seems bug 635418 closes this one also.
(In reply to D'juan McDonald (domhnall) from comment #2) > Update: "Drop legacy unicast queries from address not on local link" > > https://github.com/lathiat/avahi/commit/ > e111def44a7df4624a4aa3f85fe98054bffb6b4f > https://github.com/lathiat/avahi/compare/v0.7...master > > > net-dns/avahi: > | a | | > | m | | > | d x | | > | 6 8 | | > | 4 6 | u | > | a a a p s | | | n | > | l m r i p h m s p f m f | e u s | r > | p d a m a p c x p 6 3 a b i b | a s l | e > | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p > | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o > ----------+---------------------------------+-------+------- > 0.6.32 | o o o o o o o o + o o o o o o o | 5 # 0 | gentoo > 0.7-r1 | + + + + + + + + + o + o + ~ ~ o | 6 o | gentoo > 0.7-r2 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ ~ ~ o | 6 o | gentoo > > Seems bug 635418 closes this one also. How so? 33 commits made to master since the 0.7 release. No patches in the tree address this...
I added it to the tree.
Was fixed in 0.7-r2, tree is clean now. Setting to [glsa?].
GLSA Vote: No Thank you all for you work. Closing as [noglsa].