avahi icon indicating copy to clipboard operation
avahi copied to clipboard

Published 20 hours ago verified publisher icon lathiat

New release to fix all CVEs since 2021?

Open Neustradamus opened this issue 1 year ago • 11 comments

Dear Avahi team, @lathiat, @evverx, @pemensik,

Current unsecure stable version is 0.8.0 (2020-02-18), 3 years, 8 months, 9 days.

It is possible to create the 0.9.0 release build to fix all CVEs (Vulnerabilities)?

  • https://www.cvedetails.com/vulnerability-list/vendor_id-4481/Avahi.html
  • https://cve.report/software/avahi/avahi
  • ...

Current list:

  • CVE-2023-38473: https://github.com/lathiat/avahi/issues/451
  • CVE-2023-38472: https://github.com/lathiat/avahi/issues/452
  • CVE-2023-38471: https://github.com/lathiat/avahi/issues/453
  • CVE-2023-38470: https://github.com/lathiat/avahi/issues/454
  • CVE-2023-38469: https://github.com/lathiat/avahi/issues/455
  • CVE-2023-1981: https://github.com/lathiat/avahi/issues/375
  • CVE-2021-36217
  • CVE-2021-26720
  • CVE-2021-3502: https://github.com/lathiat/avahi/issues/338
  • CVE-2021-3468

The original tickets have been closed without the new release build:

  • https://github.com/lathiat/avahi/issues/325
  • https://github.com/lathiat/avahi/issues/430

Thanks in advance.

cc: @ilkery.

Neustradamus avatar Oct 27 '23 21:10 Neustradamus

I have been busy working on dnsconfd project, but I think it is time for a release already. Not much new features, but a lot of important bugs already fixed. Without known regressions AFAIK. So yes, it would be nice prepare a release finally. There is still few things that needs fixing, but hopefully next release will come in summer or so. We do not have a perfect release, but it is time for a release. Ideally before FOSDEM starts.

pemensik avatar Jan 26 '24 21:01 pemensik

There is still open issue #501, which seems should be fixed if possible before we release.

pemensik avatar Jan 26 '24 21:01 pemensik

I thought I would do a release today, but I have to finish preparations for my fosdem talk. I have pushed tag v0.9-rc1 to allow more testing and downloading of prepared archive. There might be just few minor changes on top in final v0.9. I would like to make a release in 14 days, but have no time now to prepare decent release notes, which I want in final release. I guess for development branches of distributions rc1 would be enough.

pemensik avatar Feb 01 '24 07:02 pemensik

I thought I would do a release today, but I have to finish preparations for my fosdem talk. I have pushed tag v0.9-rc1 to allow more testing and downloading of prepared archive. There might be just few minor changes on top in final v0.9. I would like to make a release in 14 days, but have no time now to prepare decent release notes, which I want in final release. I guess for development branches of distributions rc1 would be enough.

Hello @pemensik, any news on the 0.9 release? Thanks.

xypiie avatar Mar 06 '24 12:03 xypiie

Sorry, still busy with bind9 CVE fixes on RHEL, which are my top priority for the moment.

I haven't forgotten, we have a new CVE-2024-2699 for issue #501, but more similar issues are coming. We need to improve also tracking of security related issues, for which I have not sufficient access here.

pemensik avatar Mar 22 '24 18:03 pemensik

What's the status of this? Seems like there's still no release?

jberkus avatar Apr 15 '24 19:04 jberkus