openSUSE-SU-2021:0370-1

Опубликовано: 02 мар. 2021

Источник: suse-cvrf

Описание

Security update for avahi

This update for avahi fixes the following issues:

CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827)
Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d.
Add sudo to requires: used to drop privileges.

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Список пакетов

openSUSE Leap 15.2

avahi-0.7-lp152.3.6.1

avahi-autoipd-0.7-lp152.3.6.1

avahi-compat-howl-devel-0.7-lp152.3.6.1

avahi-compat-mDNSResponder-devel-0.7-lp152.3.6.1

avahi-lang-0.7-lp152.3.6.1

avahi-mono-0.7-lp152.3.6.1

avahi-utils-0.7-lp152.3.6.1

avahi-utils-gtk-0.7-lp152.3.6.1

libavahi-client3-0.7-lp152.3.6.1

libavahi-client3-32bit-0.7-lp152.3.6.1

libavahi-common3-0.7-lp152.3.6.1

libavahi-common3-32bit-0.7-lp152.3.6.1

libavahi-core7-0.7-lp152.3.6.1

libavahi-devel-0.7-lp152.3.6.1

libavahi-glib-devel-0.7-lp152.3.6.1

libavahi-glib1-0.7-lp152.3.6.1

libavahi-glib1-32bit-0.7-lp152.3.6.1

libavahi-gobject-devel-0.7-lp152.3.6.1

libavahi-gobject0-0.7-lp152.3.6.1

libavahi-qt4-1-0.7-lp152.3.6.1

libavahi-qt4-devel-0.7-lp152.3.6.1

libavahi-ui-gtk3-0-0.7-lp152.3.6.1

libavahi-ui0-0.7-lp152.3.6.1

libdns_sd-0.7-lp152.3.6.1

libdns_sd-32bit-0.7-lp152.3.6.1

libhowl0-0.7-lp152.3.6.1

python3-avahi-0.7-lp152.3.6.1

python3-avahi-gtk-0.7-lp152.3.6.1

typelib-1_0-Avahi-0_6-0.7-lp152.3.6.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DVDVPBVHRZSZM5XAK6X7A5RCIHNQNEG5/
E-Mail link for openSUSE-SU-2021:0370-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1180827
SUSE Bug 1180827
https://www.suse.com/security/cve/CVE-2021-26720/
SUSE CVE CVE-2021-26720 page

Описание

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.

Затронутые продукты

openSUSE Leap 15.2:avahi-0.7-lp152.3.6.1

openSUSE Leap 15.2:avahi-autoipd-0.7-lp152.3.6.1

openSUSE Leap 15.2:avahi-compat-howl-devel-0.7-lp152.3.6.1

openSUSE Leap 15.2:avahi-compat-mDNSResponder-devel-0.7-lp152.3.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-26720.html
CVE-2021-26720
https://bugzilla.suse.com/1180827
SUSE Bug 1180827
https://bugzilla.suse.com/1180865
SUSE Bug 1180865
https://bugzilla.suse.com/1181852
SUSE Bug 1181852
https://bugzilla.suse.com/1186412
SUSE Bug 1186412
https://bugzilla.suse.com/1205048
SUSE Bug 1205048

openSUSE-SU-2021:0370-1

Описание

Список пакетов

openSUSE Leap 15.2

Ссылки

Уязвимость: CVE-2021-26720

Описание

Затронутые продукты

Ссылки