Hi Adrian, On Thu, Dec 19, 2024 at 09:24:22AM +0200, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm moreinfo > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: secur...@debian.org, Michael Biebl <bi...@debian.org>, Utopia > Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> > > * core: make sure there is rdata to process before parsing it. > Patch cherry-picked from upstream Git. > (CVE-2023-38472, Closes: #1054879) > * core: reject overly long TXT resource records. > Patches cherry-picked from upstream Git. > (CVE-2023-38469, Closes: #1054876) > * Ensure each label is at least one byte long. > Patch cherry-picked from upstream Git. > (CVE-2023-38470, Closes: #1054877) > * core: extract host name using avahi_unescape_label() > Patch cherry-picked from upstream Git. > (CVE-2023-38471, Closes: #1054878) > * common: derive alternative host name from its unescaped version. > Patch cherry-picked from upstream Git. > (CVE-2023-38473, Closes: #1054880) > * Fix browsing when invalid services present. > See https://github.com/lathiat/avahi/issues/212 > > > Tagged moreinfo for two reasons: > > 1. This is work done by Michael Biebl, it would be fine for me > to close this request for a maintainer upload.
Thanks for preparing the update, bookworm-pu is indeed perfectly fine for this (we do not need a DSA, and is marked as such already). > 2. A question to the security team is whether the last item should > get a CVE, there is some discussion in the upstream issue about > that but apparently none has been assigned. Thanks for the pointer, will have a closer look. But it's not strictly needed. It's crashing avahi-browse only, which would be in any case minor (likely even more towards unimportant for us), but lets see from Red Hat if they still aim to assign a CVE. Regards, Salvatore
