-
avahi (0.8-3ubuntu1.1) groovy-security; urgency=medium
* SECURITY UPDATE: DoS via infinite loop on local socket
- debian/patches/CVE-2021-3468.patch: handle HUP event in
avahi-daemon/simple-protocol.c.
- CVE-2021-3468
* SECURITY UPDATE: DoS in avahi_s_host_name_resolver_start
- debian/patches/CVE-2021-3502.patch: fix multiple null pointer crashes
in avahi-core/browse-dns-server.c, avahi-core/browse-domain.c,
avahi-core/browse-service-type.c, avahi-core/browse-service.c,
avahi-core/browse.c, avahi-core/resolve-address.c,
avahi-core/resolve-host-name.c, avahi-core/resolve-service.c.
- CVE-2021-3502
-- Marc Deslauriers <email address hidden> Tue, 06 Jul 2021 11:37:07 -0400
-
avahi (0.8-3ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Remove avahi-daemon-check-dns.sh hack, the feature is provided by
libnss-mdns now
avahi (0.8-3) unstable; urgency=medium
* Team upload
* Upload python3-avahi to unstable
* d/control: Add comments about why some packages are Arch: any.
At first glance these packages seem like they should be
Architecture: all, but in fact they cannot.
* d/control, d/shlibs.local: Tighten interdependencies within src:avahi.
Co-installation of binary packages built from different versions of the
same source package is error-prone, because parts of the same source
package typically make assumptions about non-public exported symbols,
implementation details or precise behaviour beyond what's in the public
API. Upstream developers are also unlikely to be willing to support such
installations or make promises about their behaviour.
We can make partial upgrades more robust by upgrading everything from
a single source package together.
avahi (0.8-2) experimental; urgency=medium
* Team upload
[ Andreas Henriksson, Simon McVittie ]
* Switch from python2 to python3.
This includes renaming the python-avahi package to python3-avahi.
The only remaining package with a hard dependency on python-avahi is
avahi-discover, which is also fixed in this version.
(Closes: #853239, #936173)
[ Simon McVittie ]
* Override Lintian warning for package-name-doesnt-match-sonames libdns-sd1.
The libdns_sd.so.1 SONAME conceptually belongs to a different source
package (Apple Bonjour, which isn't currently in Debian) so it's
deliberate that we are not using its package name.
* gir1.2-avahi-0.6 Provides gir1.2-avahicore-0.6, reflecting its contents.
This matches the naming scheme from the g-i mini-policy, and lets us
stop suppressing some Lintian warnings.
* d/copyright: Add some more copyright holders
-- Steve Langasek <email address hidden> Tue, 09 Jun 2020 13:47:56 -0700
-
avahi (0.8-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Remove avahi-daemon-check-dns.sh hack, the feature is provided by
libnss-mdns now
* Dropped changes, included upstream:
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch:
fix in avahi-core/server.c.
- debian/patches/local-only-services-support.patch:
replaced by the upstream commited version, part of the code which
was there to workaround a ippusbxd issue has been removed since
the problem has been resolved in cups now
- local-only-services-support.patch: Added support for advertising
* Dropped changes:
- Add udebs corresponding to libavahi-common3 and libavahi-core7, for
maas-enlist-udeb: dropped, d-i no longer used for installing maas.
avahi (0.8-1) unstable; urgency=medium
* Team upload
[ Andreas Henriksson ]
* New upstream release (Closes: #951691)
- Support local-only services via the loopback interface
(Closes: #909564)
- Don't crash on keys with an empty value (Closes: #947891)
- Drop patches that are included upstream
- Disable Qt5 main loop binding for now
- Update libavahi-core7.symbols with newly added symbols
* d/p/Fetch-build-db-from-upstream-git.patch:
Patch back in a script that was omitted from the upstream tarball
* libavahi-core-dev: spelling-error-in-description shoudl should
* Drop obsolete X-Python-Version field
[ Simon McVittie ]
* Summarize significant upstream changes above
* Disable libevent main loop binding for now
* Continue to use Python 2 for now, so we can test v0.8 independent of
the switch from Python 2 to Python 3
* d/p/avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch:
Add patch from upstream git to fix undefined left-shift
* d/p/fix-bytestring-decoding-for-proper-display.patch,
d/p/avahi-discover-Don-t-decode-unicode-strings-only-bytestri.patch:
Make avahi-discover work for both Python 2 and Python 3
(hopefully Closes: #876107)
* Replace stage1 build-profile with nopython and pkg.avahi.nogui
* Set avahi user's home directory to /run/avahi-daemon for new installs.
For existing installations, it continues to be the
equivalent-but-deprecated /var/run/avahi-daemon.
* Add Build-Depends-Package to all .symbols files
* Don't explicitly link --as-needed.
This is the default in bullseye toolchains anyway.
* Use dpkg's default.mk
* Enable full compiler hardening
* Remove migration path from obsolete avahi-dbg package.
It was most recently shipped before Debian 9 'stretch', and we don't
support skipping a version when upgrading.
* Build-depend on python2.
We don't actually need Python development files here, just the
interpreter itself.
* d/rules: Make install invocations not require fakeroot.
The default for install(1) is 0755, root:root if running as root, or
0755 without ownership changes if running as an unprivileged user.
Under Rules-Requires-Root: no, we cannot explicitly chown a file,
but having it owned by the build user during build results in it being
owned by root:root in the .deb, which is what we want anyway.
* Set Rules-Requires-Root to no
* Standards-Version: 4.5.0 (no changes required)
* Move to debhelper-compat 12.
* Don't explicitly stop avahi-daemon.service in prerm.
The dh_installsystemd infrastructure handles this now. We do still mask
the service, since dh_installsystemd doesn't prevent D-Bus activation.
* Add ${misc:Pre-Depends} to all packages
* Add a patch to force a specific service type database format.
It was traditionally a gdbm database in Debian, but v0.8's build-db,
when run under Python 2, prefers dbhash (bsddb).
* d/avahi-autoipd.preinst: Remove transitional code from pre-stretch
avahi (0.7-5) unstable; urgency=medium
* Team upload
* Build-depend on python-gi in addition to python-gi-dev.
python-gi-dev is likely to lose its python-gi dependency to help
with tracking the removal of Python 2 dependencies.
(Closes: #945034)
* d/p/Drop-legacy-unicast-queries-from-address-not-on-local-lin.patch:
Add patch from upstream to fix traffic amplification attacks
(CVE-2017-6519, CVE-2018-1000845; Closes: #917047)
* d/patches: Annotate with forwarding status
* d/avahi-daemon-check-dns.sh: Wrap host command with timeout(1) to
avoid it stalling indefinitely on some systems.
Mitigates: #559927, #898038, #929010.
Thanks to Trent Lloyd and Ubuntu.
-- Steve Langasek <email address hidden> Wed, 20 May 2020 15:00:00 -0700
-
avahi (0.7-4ubuntu7) focal; urgency=medium
* Remove avahi-daemon-check-dns.sh hack, the feature is provided by
libnss-mdns now (lp: #1870824)
* debian/patches/local-only-services-support.patch:
- replaced by the upstream commited version, part of the code which
was there to workaround a ippusbxd issue has been removed since
the problem has been resolved in cups now
-- Sebastien Bacher <email address hidden> Wed, 08 Apr 2020 13:43:27 +0200
