StarlingX

[Debian] Medium CVE: CVE-2021-3468: avahi: trigger an infinite loop

Bug #2021447 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Li Zhou

Bug Description

CVE-2021-3468: https://nvd.nist.gov/vuln/detail/CVE-2021-3468

A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

Base Score: Medium

Reference:

https://security-tracker.debian.org/tracker/CVE-2021-3468

['avahi-daemon_0.8-5_amd64.deb===>avahi-daemon_0.8-5+deb11u2_amd64.deb', 'libavahi-client3_0.8-5_amd64.deb===>libavahi-client3_0.8-5+deb11u2_amd64.deb', 'libavahi-common3_0.8-5_amd64.deb===>libavahi-common3_0.8-5+deb11u2_amd64.deb', 'libavahi-common-data_0.8-5_amd64.deb===>libavahi-common-data_0.8-5+deb11u2_amd64.deb', 'libavahi-core7_0.8-5_amd64.deb===>libavahi-core7_0.8-5+deb11u2_amd64.deb', 'libavahi-glib1_0.8-5_amd64.deb===>libavahi-glib1_0.8-5+deb11u2_amd64.deb']

CVE References

Yue Tao (wrytao)
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
tags: added: stx.9.0 stx.security
Li Zhou (lzhou2)
Changed in starlingx:
assignee: nobody → Li Zhou (lzhou2)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Fixed by https://review.opendev.org/c/starlingx/tools/+/887350 which merged on July 11.

Changed in starlingx:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.