SUSE update for avahi

Published: 2024-06-25

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-38469 CVE-2023-38471
CWE-ID	CWE-617
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Desktop Applications Module Operating systems & Components / Operating system SUSE Package Hub 15 Operating systems & Components / Operating system Basesystem Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system libavahi-client3-64bit Operating systems & Components / Operating system package or component libavahi-common3-64bit Operating systems & Components / Operating system package or component libavahi-client3-64bit-debuginfo Operating systems & Components / Operating system package or component libavahi-glib1-64bit Operating systems & Components / Operating system package or component libavahi-glib1-64bit-debuginfo Operating systems & Components / Operating system package or component libdns_sd-64bit-debuginfo Operating systems & Components / Operating system package or component avahi-64bit-debuginfo Operating systems & Components / Operating system package or component libdns_sd-64bit Operating systems & Components / Operating system package or component libavahi-common3-64bit-debuginfo Operating systems & Components / Operating system package or component avahi-lang Operating systems & Components / Operating system package or component libavahi-common3-32bit-debuginfo Operating systems & Components / Operating system package or component libavahi-client3-32bit Operating systems & Components / Operating system package or component libdns_sd-32bit Operating systems & Components / Operating system package or component libavahi-client3-32bit-debuginfo Operating systems & Components / Operating system package or component libavahi-common3-32bit Operating systems & Components / Operating system package or component libdns_sd-32bit-debuginfo Operating systems & Components / Operating system package or component libavahi-glib1-32bit Operating systems & Components / Operating system package or component avahi-32bit-debuginfo Operating systems & Components / Operating system package or component libavahi-glib1-32bit-debuginfo Operating systems & Components / Operating system package or component avahi-utils-gtk Operating systems & Components / Operating system package or component avahi-compat-mDNSResponder-devel Operating systems & Components / Operating system package or component avahi-qt5-debugsource Operating systems & Components / Operating system package or component libavahi-libevent1-debuginfo Operating systems & Components / Operating system package or component libavahi-glib1 Operating systems & Components / Operating system package or component avahi-autoipd-debuginfo Operating systems & Components / Operating system package or component avahi-utils-gtk-debuginfo Operating systems & Components / Operating system package or component libavahi-qt5-1-debuginfo Operating systems & Components / Operating system package or component libavahi-common3 Operating systems & Components / Operating system package or component libavahi-core7-debuginfo Operating systems & Components / Operating system package or component libhowl0-debuginfo Operating systems & Components / Operating system package or component libavahi-client3-debuginfo Operating systems & Components / Operating system package or component avahi-glib2-debugsource Operating systems & Components / Operating system package or component libavahi-glib1-debuginfo Operating systems & Components / Operating system package or component avahi-utils Operating systems & Components / Operating system package or component libavahi-ui-gtk3-0 Operating systems & Components / Operating system package or component libhowl0 Operating systems & Components / Operating system package or component libavahi-ui-gtk3-0-debuginfo Operating systems & Components / Operating system package or component libavahi-qt5-1 Operating systems & Components / Operating system package or component avahi-utils-debuginfo Operating systems & Components / Operating system package or component libavahi-libevent1 Operating systems & Components / Operating system package or component avahi-compat-howl-devel Operating systems & Components / Operating system package or component libavahi-common3-debuginfo Operating systems & Components / Operating system package or component libdns_sd Operating systems & Components / Operating system package or component libavahi-core7 Operating systems & Components / Operating system package or component avahi Operating systems & Components / Operating system package or component libavahi-devel Operating systems & Components / Operating system package or component libavahi-gobject0 Operating systems & Components / Operating system package or component python3-avahi-gtk Operating systems & Components / Operating system package or component avahi-debuginfo Operating systems & Components / Operating system package or component libavahi-gobject-devel Operating systems & Components / Operating system package or component libavahi-gobject0-debuginfo Operating systems & Components / Operating system package or component avahi-autoipd Operating systems & Components / Operating system package or component libdns_sd-debuginfo Operating systems & Components / Operating system package or component typelib-1_0-Avahi-0_6 Operating systems & Components / Operating system package or component libavahi-glib-devel Operating systems & Components / Operating system package or component libavahi-client3 Operating systems & Components / Operating system package or component avahi-debugsource Operating systems & Components / Operating system package or component libavahi-qt5-devel Operating systems & Components / Operating system package or component python3-avahi Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Reachable Assertion

EUVDB-ID: #VU79306

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-38469

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the avahi_dns_packet_append_record() function. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.

Mitigation

Update the affected package avahi to the latest version.

Vulnerable software versions

Desktop Applications Module: 15-SP6

SUSE Package Hub 15: 15-SP6

Basesystem Module: 15-SP6

SUSE Linux Enterprise Real Time 15: SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

SUSE Linux Enterprise Desktop 15: SP6

libavahi-client3-64bit: before 0.8-150600.15.3.1

libavahi-common3-64bit: before 0.8-150600.15.3.1

libavahi-client3-64bit-debuginfo: before 0.8-150600.15.3.1

libavahi-glib1-64bit: before 0.8-150600.15.3.1

libavahi-glib1-64bit-debuginfo: before 0.8-150600.15.3.1

libdns_sd-64bit-debuginfo: before 0.8-150600.15.3.1

avahi-64bit-debuginfo: before 0.8-150600.15.3.1

libdns_sd-64bit: before 0.8-150600.15.3.1

libavahi-common3-64bit-debuginfo: before 0.8-150600.15.3.1

avahi-lang: before 0.8-150600.15.3.1

libavahi-common3-32bit-debuginfo: before 0.8-150600.15.3.1

libavahi-client3-32bit: before 0.8-150600.15.3.1

libdns_sd-32bit: before 0.8-150600.15.3.1

libavahi-client3-32bit-debuginfo: before 0.8-150600.15.3.1

libavahi-common3-32bit: before 0.8-150600.15.3.1

libdns_sd-32bit-debuginfo: before 0.8-150600.15.3.1

libavahi-glib1-32bit: before 0.8-150600.15.3.1

avahi-32bit-debuginfo: before 0.8-150600.15.3.1

libavahi-glib1-32bit-debuginfo: before 0.8-150600.15.3.1

avahi-utils-gtk: before 0.8-150600.15.3.1

avahi-compat-mDNSResponder-devel: before 0.8-150600.15.3.1

avahi-qt5-debugsource: before 0.8-150600.15.3.1

libavahi-libevent1-debuginfo: before 0.8-150600.15.3.1

libavahi-glib1: before 0.8-150600.15.3.1

avahi-autoipd-debuginfo: before 0.8-150600.15.3.1

avahi-utils-gtk-debuginfo: before 0.8-150600.15.3.1

libavahi-qt5-1-debuginfo: before 0.8-150600.15.3.1

libavahi-common3: before 0.8-150600.15.3.1

libavahi-core7-debuginfo: before 0.8-150600.15.3.1

libhowl0-debuginfo: before 0.8-150600.15.3.1

libavahi-client3-debuginfo: before 0.8-150600.15.3.1

avahi-glib2-debugsource: before 0.8-150600.15.3.1

libavahi-glib1-debuginfo: before 0.8-150600.15.3.1

avahi-utils: before 0.8-150600.15.3.1

libavahi-ui-gtk3-0: before 0.8-150600.15.3.1

libhowl0: before 0.8-150600.15.3.1

libavahi-ui-gtk3-0-debuginfo: before 0.8-150600.15.3.1

libavahi-qt5-1: before 0.8-150600.15.3.1

avahi-utils-debuginfo: before 0.8-150600.15.3.1

libavahi-libevent1: before 0.8-150600.15.3.1

avahi-compat-howl-devel: before 0.8-150600.15.3.1

libavahi-common3-debuginfo: before 0.8-150600.15.3.1

libdns_sd: before 0.8-150600.15.3.1

libavahi-core7: before 0.8-150600.15.3.1

avahi: before 0.8-150600.15.3.1

libavahi-devel: before 0.8-150600.15.3.1

libavahi-gobject0: before 0.8-150600.15.3.1

python3-avahi-gtk: before 0.8-150600.15.3.1

avahi-debuginfo: before 0.8-150600.15.3.1

libavahi-gobject-devel: before 0.8-150600.15.3.1

libavahi-gobject0-debuginfo: before 0.8-150600.15.3.1

avahi-autoipd: before 0.8-150600.15.3.1

libdns_sd-debuginfo: before 0.8-150600.15.3.1

typelib-1_0-Avahi-0_6: before 0.8-150600.15.3.1

libavahi-glib-devel: before 0.8-150600.15.3.1

libavahi-client3: before 0.8-150600.15.3.1

avahi-debugsource: before 0.8-150600.15.3.1

libavahi-qt5-devel: before 0.8-150600.15.3.1

python3-avahi: before 0.8-150600.15.3.1

CPE2.3

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242200-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Reachable Assertion

EUVDB-ID: #VU79308

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-38471