CVE-2011-1002

Published: 22 February 2011

avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244.

Priority

Status

Package	Release	Status
avahi Launchpad, Ubuntu, Debian	dapper	Ignored (end of life)
	hardy	Released (0.6.22-2ubuntu4.3)
	karmic	Released (0.6.25-1ubuntu5.3)
	lucid	Released (0.6.25-1ubuntu6.2)
	maverick	Released (0.6.27-2ubuntu3.1)
	upstream	Released (0.6.29)
	Patches: upstream: http://git.0pointer.de/?p=avahi.git;a=commit;h=46109dfec75534fe270c0ab902576f685d5ab3a6

References

http://xorl.wordpress.com/2011/02/20/cve-2011-1002-avahi-daemon-remote-denial-of-service/
https://ubuntu.com/security/notices/USN-1084-1
https://www.cve.org/CVERecord?id=CVE-2011-1002
NVD
Launchpad
Debian

Bugs

http://avahi.org/ticket/325
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614785

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›