CVE-2009-0758
Published: 3 March 2009
The originates_from_local_legacy_unicast_socket function in avahi-core/server.c in avahi-daemon 0.6.23 does not account for the network byte order of a port number when processing incoming multicast packets, which allows remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet that triggers a multicast packet storm.
Notes
Author | Note |
---|---|
mdeslaur | low priority as reflector is not enabled by default |
Priority
Status
Package | Release | Status |
---|---|---|
avahi Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Released
(0.6.22-2ubuntu4.2)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Released
(0.6.23-4ubuntu4.1)
|
|
karmic |
Not vulnerable
(0.6.25-1ubuntu5.1)
|
|
lucid |
Not vulnerable
|
|
upstream |
Released
(0.6.24-3)
|
|
Patches: vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=server.patch;att=1;bug=517683 upstream: http://git.0pointer.de/?p=avahi.git;a=commit;h=6fabf9d5189cf0efb86af1cd57e5399f8e31112a |