[ubuntu/resolute-proposed] avahi 0.8-18ubuntu1 (Accepted)

Ural Tunaboyu ural.tunaboyu at canonical.com
Tue Mar 10 21:05:16 UTC 2026 

avahi (0.8-18ubuntu1) resolute; urgency=medium

  * Merge with Debian unstable (LP: #2142150). Remaining changes:
    - avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
      avahi-client-fix-resource-leak.patch: Issues discovered by static
      analysis (Upstream pull request #202)
    - SECURITY UPDATE: Reachable assertions exist in domain functions in
      avahi-common
      + debian/patches/CVE-2023-38470-2.patch: bail out when escaped
        labels can't fit into ret
      + CVE-2023-38470
    - SECURITY UPDATE: Reachable assertions exist in server functions in
      avahi-core
      + debian/patches/CVE-2023-38471-2.patch: core: return errors from
        avahi_server_set_host_name properly
      + CVE-2023-38471
  * Dropped changes applied upstream:
    - SECURITY UPDATE: Denial of service when creating a record browser.
      + debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
        wide area use check in avahi-core/browse.c.
      + CVE-2025-68276
    - SECURITY UPDATE: Denial of service after CNAME expiration.
      + debian/patches/CVE-2025-68468.patch: Remove assert in
        avahi-core/browse.c.
      + CVE-2025-68468
    - SECURITY UPDATE: Denial of service on receiving CNAME resource records.
      + debian/patches/CVE-2025-68471.patch: Change assert to return on
        wide_area check in avahi-core/browse.c.
      + CVE-2025-68471

Date: Tue, 17 Feb 2026 21:26:06 -0800
Changed-By: Ural Tunaboyu <ural.tunaboyu at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Sebastien Bacher <sebastien.bacher at canonical.com>
https://launchpad.net/ubuntu/+source/avahi/0.8-18ubuntu1
-------------- next part --------------
Format: 1.8
Date: Tue, 17 Feb 2026 21:26:06 -0800
Source: avahi
Built-For-Profiles: noudeb
Architecture: source
Version: 0.8-18ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ural Tunaboyu <ural.tunaboyu at canonical.com>
Launchpad-Bugs-Fixed: 2142150
Changes:
 avahi (0.8-18ubuntu1) resolute; urgency=medium
 .
   * Merge with Debian unstable (LP: #2142150). Remaining changes:
     - avahi-daemon-chroot-fix-bogus-assignments-in-assertions.patch,
       avahi-client-fix-resource-leak.patch: Issues discovered by static
       analysis (Upstream pull request #202)
     - SECURITY UPDATE: Reachable assertions exist in domain functions in
       avahi-common
       + debian/patches/CVE-2023-38470-2.patch: bail out when escaped
         labels can't fit into ret
       + CVE-2023-38470
     - SECURITY UPDATE: Reachable assertions exist in server functions in
       avahi-core
       + debian/patches/CVE-2023-38471-2.patch: core: return errors from
         avahi_server_set_host_name properly
       + CVE-2023-38471
   * Dropped changes applied upstream:
     - SECURITY UPDATE: Denial of service when creating a record browser.
       + debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
         wide area use check in avahi-core/browse.c.
       + CVE-2025-68276
     - SECURITY UPDATE: Denial of service after CNAME expiration.
       + debian/patches/CVE-2025-68468.patch: Remove assert in
         avahi-core/browse.c.
       + CVE-2025-68468
     - SECURITY UPDATE: Denial of service on receiving CNAME resource records.
       + debian/patches/CVE-2025-68471.patch: Change assert to return on
         wide_area check in avahi-core/browse.c.
       + CVE-2025-68471
Checksums-Sha1:
 64c818afca567f19224fcb02b0dd3d16712cee4c 4167 avahi_0.8-18ubuntu1.dsc
 0f38901a588766a36452a49cfe1ac2cfc26c34bd 63336 avahi_0.8-18ubuntu1.debian.tar.xz
 cff358bd25e9368ad7473cd94d4239c9dacbf25a 21057 avahi_0.8-18ubuntu1_source.buildinfo
Checksums-Sha256:
 a71b748bba40c16bce2497c2c668c4ac803d6043f4674f896ee01973f8da5a87 4167 avahi_0.8-18ubuntu1.dsc
 87da0336f5c9220d336e5a379a2a33104098c953583e254c7107359ec7f4597a 63336 avahi_0.8-18ubuntu1.debian.tar.xz
 1d35b82c352ad9ab83cabf6b034ab7d7a66f4d0171bdf4899c2b46074021a44c 21057 avahi_0.8-18ubuntu1_source.buildinfo
Files:
 92216a36b1be6fdd17678b94e84d2da3 4167 net optional avahi_0.8-18ubuntu1.dsc
 40319f2a398d66a57211c163d44bc1fa 63336 net optional avahi_0.8-18ubuntu1.debian.tar.xz
 32ddbea1b73848fc9374ef9e8ce375ad 21057 net optional avahi_0.8-18ubuntu1_source.buildinfo
Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>
Vcs-Git: https://git.launchpad.net/~uralt/ubuntu/+source/avahi
Vcs-Git-Commit: 242bccda5a761b5e288811d181ddc1c0ae41955a
Vcs-Git-Ref: refs/heads/merge-lp2142150-resolute

More information about the Resolute-changes mailing list