Bug 488314 (CVE-2009-0758)
Summary: | CVE-2009-0758 avahi: remote DoS via legacy unicast mDNS queries | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | lpoetter, mbacovsk | ||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0758 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-11-29 15:14:23 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 609318, 609319, 833873 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Vincent Danen
2009-03-03 18:11:52 UTC
Created attachment 333906 [details]
patch from the Debian BTS that proposes a fix for this issue
This is really really low priority since the reflection feature is not enabled by default and has always been documented as being experimental and that it might crucify your network. Not sure if this should really be considered a security issue at all. Of course, this should be fixed, but all this CVE bureaucracy is way over-the-top if you ask me. I'll apply a fix for this into the Avahi sources, but I am not really convinced that I should do a full new release just for this. fix this in the upstream Avahi sources, that is. Where is it noted as being experimental? Looking at the avahi-daemon.conf manpage, the only warning about enabling the reflector is to make sure that you don't have multiple reflectors, and only the reflect-ipv keyword is noted as being not recommended. I see it's not default, which is fine, but I'd like to know where it is indicated that enabling it is not recommended or where it's noted as being experimental. If you feel that real-world use of the reflector functionality would be more or less non-existent, then I'd agree with dropping the severity and either dropping or deferring this issue. Uh, indeed. I never actually mentioned that in the man pages. Sorry for the confusion. I guess I should fix that as well. I am pretty sure though that I mentioned that a couple of times on the MLs and on IRC. Anyway, I'd still say that this is a rather exotic feature not worth all the hubbub. The man page even says is "it should work", so I guess you could read from that that I was not even sure it really was that reliable back when I wrote it. Yes, this needs to be fixed, and yes I should have better documented that it is mostly an experimental feature. Ok, thanks for that. What we will do then is defer this and fix it in any future update we have for avahi for RHEL5. When you fix this upstream (and roll a new version), updating Fedora to the new version may not be a bad idea, and getting it into rawhide would be great. (In reply to comment #5) > fix this in the upstream Avahi sources, that is. Just for the future reference - have you used Debian patch in upstream sources? The change is not yet visible at: http://avahi.org/browser/ No, I haven't fixed this upstream yet. Sorry. But from a first glance the Debian fix looks about right. This is fixed upstream now: http://git.0pointer.de/?p=avahi.git;a=commit;h=6fabf9d5189cf0efb86af1cd57e5399f8e31112a This is corrected in upstream 0.6.25; Fedora 11 and 12 have this version and are fixed. Re-open, waiting to get included in some future RHEL5 avahi update (see comment #8). commited and built for rhel 5.5.z and rhel 5.6 now. nvr are as follows: rhel5.5.z: avahi-0.6.16-9.el5.5 rhel5.6: avahi-0.6.16-9.el5 (In reply to comment #4) > This is really really low priority since the reflection feature is not enabled > by default and has always been documented as being experimental and that it > might crucify your network. For future reference - relevant avahi-daemon.conf option to enable / disable reflector is enable-reflector. Defaults to "no". This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0528 https://rhn.redhat.com/errata/RHSA-2010-0528.html Statement: (none) |