CVE-2009-0758

NameCVE-2009-0758
DescriptionThe originates_from_local_legacy_unicast_socket function in avahi-core/server.c in avahi-daemon 0.6.23 does not account for the network byte order of a port number when processing incoming multicast packets, which allows remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet that triggers a multicast packet storm.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2086-1
NVD severityhigh (attack range: remote)
Debian Bugs517683

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
avahi (PTS)wheezy0.6.31-2fixed
jessie0.6.31-5fixed
stretch0.6.32-2fixed
buster, sid0.7-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
avahisource(unstable)0.6.24-3low517683
avahisourcelenny0.6.23-3lenny2highDSA-2086-1

Notes

[etch] - avahi <no-dsa> (Minor issue)
reflector is off by default

Search for package or bug name: Reporting problems