git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Zhang Peng <peng.zhang1.cn@windriver.com>
	Thu, 17 Jul 2025 09:34:38 +0000 (17:34 +0800)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 18 Jul 2025 15:57:07 +0000 (08:57 -0700)
commit	0376d69c39305333f2b2817ae7a1f4911f63e2e9
tree	3b6f7cf8496d3f7a0ec605f30efb37e16b95fa83	tree
parent	acbed746f321e1a42df9035d2b6f1029f5a6a6a2	commit \| diff

avahi: fix CVE-2024-52616

CVE-2024-52616:
A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs
randomly only once at startup, incrementing them sequentially after that. This
predictable behavior facilitates DNS spoofing attacks, allowing attackers to
guess transaction IDs.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-52616]
[https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm]

Upstream patches:
[https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry pick from commit: 28de3f131b17dc4165df927060ee51f0de3ada90)

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-connectivity/avahi/avahi_0.8.bb		diff \| blob \| blame \| history
meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch	[new file with mode: 0644]	blob