Ubuntu
avahi package

avahi-daemon should be downgraded to a recommends dependency

Bug #559770 reported by Loye Young
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
avahi (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: avahi-utils

Avahi-utils *depends* on avahi-daemon, but should only *suggest* avahi-daemon. Avahi-daemon should *suggest* (or at best *recommend* avahi-utils.

In many situations (especially in a corporate heterogenous environment), it would be inappropriate for the host to advertise services, but the host should be able to discover services (e.g., most notably printing).

Avahi-daemon advertises services on the host, but the utilities in avahi-utils are useful in situations when the host's services should not advertised. Consequently, avahi-utils should not depend on avahi-daemon.

Loye Young (loyeyoung)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
Revision history for this message
Loye Young (loyeyoung) wrote : Re: [Bug 559770] Re: avahi-daemon should be downgraded to a recommends dependency

Avahi-daemon is a security risk and does allow crossing of privilege
boundaries because it makes possible automatic connections among hosts on
the network irrespective of the policies set up by network administrators.

This is an argument that we went through in Hardy LTS. The compromise was to
make avahi-daemon a recommends.

This bug is a regression from Hardy LTS.

Loye Young
<email address hidden>
281-968-0828

On Tue, Apr 13, 2010 at 10:58 AM, Jamie Strandboge <email address hidden> wrote:

> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. We appreciate the difficulties you are facing, but this appears
> to be a "regular" (non-security) bug. I have unmarked it as a security
> issue since this bug does not show evidence of allowing attackers to
> cross privilege boundaries nor directly cause loss of data/privacy.
> Please feel free to report any other bugs you may find.
>
> ** This bug is no longer flagged as a security vulnerability
>
> --
> avahi-daemon should be downgraded to a recommends dependency
> https://bugs.launchpad.net/bugs/559770
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in avahi (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.