CVE-2024-52616

NameCVE-2024-52616
DescriptionA flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1088111

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
avahi (PTS)bullseye0.8-5+deb11u2vulnerable
bookworm0.8-10vulnerable
trixie0.8-13vulnerable
sid0.8-14vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
avahisource(unstable)(unfixed)1088111

Notes

[bookworm] - avahi <no-dsa> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
[bullseye] - avahi <postponed> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
https://bugzilla.redhat.com/show_bug.cgi?id=2326429
https://github.com/avahi/avahi/issues/254
https://github.com/avahi/avahi/issues/254#issuecomment-2480519212
turn off wide-area feature: https://github.com/avahi/avahi/pull/577
Revisiting of feature: https://github.com/avahi/avahi/issues/578
https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm

Search for package or bug name: Reporting problems