New release to fix all CVEs since 2021? #503
Comments
As no release appears to be imminent... avahi/avahi#503
As no release appears to be imminent... avahi/avahi#503
|
I have been busy working on dnsconfd project, but I think it is time for a release already. Not much new features, but a lot of important bugs already fixed. Without known regressions AFAIK. So yes, it would be nice prepare a release finally. There is still few things that needs fixing, but hopefully next release will come in summer or so. We do not have a perfect release, but it is time for a release. Ideally before FOSDEM starts. |
|
There is still open issue #501, which seems should be fixed if possible before we release. |
|
I thought I would do a release today, but I have to finish preparations for my fosdem talk. I have pushed tag |
Hello @pemensik, any news on the 0.9 release? Thanks. |
|
Sorry, still busy with bind9 CVE fixes on RHEL, which are my top priority for the moment. I haven't forgotten, we have a new CVE-2024-2699 for issue #501, but more similar issues are coming. We need to improve also tracking of security related issues, for which I have not sufficient access here. |
As no release appears to be imminent... avahi/avahi#503 (cherry picked from commit 73ff1fc)
|
What's the status of this? Seems like there's still no release? |
As no release appears to be imminent... avahi/avahi#503 (cherry picked from commit 73ff1fc)
|
Dear @avahi team, @lathiat, @evverx, @pemensik, We are 2024-06-26, currently, it is not secure and very old, the 0.8.0 has been released 2020-02-18 (more 4 years and 4 months). Have you progressed for a new release build? It is possible to create more release builds like other projects. Thanks in advance. |
|
At this point avahi should add some new maintainers or declare it as deprecated. Then the solution might be to fork avahi. |
|
@nairboon: Since several years, I have tried to relive this project, I have permit to have an organization to improve it... But there is a problem with current team -> always CVEs badly. No new releases since 2020. Same for nss-mdns: |
GHSA-jhxr-wvf5-hrp6 is Debian-specific. The other CVEs are local DoSes (unless D-Bus is exposed over the network as in https://spectrum.ieee.org/jeep-hacking-101 but thanks to that non-local sockets were officially deprecated and the dbus-daemon manpage comes with huge warnings like https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/doc/dbus-daemon.1.xml.in?ref_type=heads#L462 so if there are devices where D-Bus is exposed over the network they certainly have more serious issues than the avahi DoSes). In other words those things aren't urgent. Distros where those things are important have already backported all the patches and aren't affected.
It isn't deprecated but vendors who have the resources to maintain their forks with their patches on top already do that so it shouldn't be necessary to wait for anything to start doing that too. Either way my understanding is that the release is kind of blocked because it hasn't been decided what should be deprecated and dropped entirely. Distros like Debian and NixOS are fine with dropping some things but Fedora disagrees and it isn't obvious what should be included in the release notes. Once it's decided it should be fine to write the release notes and cut the release. |
|
Hello @pemensik, half a year has passed since my last question. Any news on the 0.9 release? :) Thanks. |
Dear Avahi team, @lathiat, @evverx, @pemensik,
Current unsecure stable version is 0.8.0 (2020-02-18), 3 years, 8 months, 9 days.
It is possible to create the 0.9.0 release build to fix all CVEs (Vulnerabilities)?
Current list:
The original tickets have been closed without the new release build:
Thanks in advance.
cc: @ilkery.
The text was updated successfully, but these errors were encountered: