avahi - Debian Package Tracker

general

source: avahi (main)
version: 0.8-18
maintainer: Utopia Maintenance Team (archive) (DMD)
uploaders: Sjoerd Simons [DMD] – Michael Biebl [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8-5+deb11u2
o-o-sec: 0.8-5+deb11u3
oldstable: 0.8-10+deb12u1
stable: 0.8-16
testing: 0.8-17
unstable: 0.8-18

versioned links

0.8-5+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8-5+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8-10+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8-16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8-17: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8-18: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

avahi-autoipd (6 bugs: 0, 4, 2, 0)
avahi-daemon (36 bugs: 0, 30, 6, 0)
avahi-discover
avahi-dnsconfd
avahi-ui-utils
avahi-utils (4 bugs: 0, 3, 1, 0)
gir1.2-avahi-0.6
libavahi-client-dev
libavahi-client3
libavahi-common-data
libavahi-common-dev
libavahi-common3
libavahi-compat-libdnssd-dev
libavahi-compat-libdnssd1
libavahi-core-dev
libavahi-core7
libavahi-glib-dev
libavahi-glib1
libavahi-gobject-dev
libavahi-gobject0
libavahi-ui-gtk3-0
libavahi-ui-gtk3-dev
python3-avahi

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2024-52615: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
CVE-2025-59529: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.

Created: 2023-10-05 Last update: 2026-02-01 22:00

7 security issues in forky high

There are 7 open security issues in forky.

7 important issues:

CVE-2024-52615: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
CVE-2024-52616: A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.
CVE-2025-59529: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.
CVE-2025-68276: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.
CVE-2025-68468: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.
CVE-2025-68471: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.
CVE-2026-24401: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

Created: 2025-08-09 Last update: 2026-02-01 22:00

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-10 Last update: 2026-02-02 06:01

AppStream hints: 3 warnings for avahi-discover,avahi-ui-utils normal

AppStream found metadata issues for packages:

avahi-discover: 1 warning
avahi-ui-utils: 2 warnings

You should get rid of them to provide more metadata about this software.

Created: 2020-06-01 Last update: 2026-02-02 04:00

debian/patches: 26 patches to forward upstream low

Among the 31 debian patches available in version 0.8-18 of the package, we noticed the following issues:

26 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-02-02 11:01

7 low-priority security issues in trixie low

There are 7 open security issues in trixie.

7 issues left for the package maintainer to handle:

CVE-2024-52615: (needs triaging) A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
CVE-2024-52616: (needs triaging) A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.
CVE-2025-59529: (postponed; to be fixed through a stable update) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.
CVE-2025-68276: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.
CVE-2025-68468: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.
CVE-2025-68471: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.
CVE-2026-24401: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-09 Last update: 2026-02-01 22:00

7 low-priority security issues in bookworm low

There are 7 open security issues in bookworm.

7 issues left for the package maintainer to handle:

CVE-2024-52615: (needs triaging) A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
CVE-2024-52616: (needs triaging) A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.
CVE-2025-59529: (postponed; to be fixed through a stable update) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.
CVE-2025-68276: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.
CVE-2025-68468: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.
CVE-2025-68471: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.
CVE-2026-24401: (needs triaging) Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-10-05 Last update: 2026-02-01 22:00

testing migrations

excuses:
- Migration status for avahi (0.8-17 to 0.8-18): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for avahi/0.8-18: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for libreoffice/4:25.8.4-1: amd64: Regression ♻ (reference ♻), arm64: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/a/avahi.html
- ∙ ∙ Reproducible on amd64
- ∙ ∙ Reproducible on arm64
- ∙ ∙ Reproducible on armhf
- ∙ ∙ Reproducible on i386
- ∙ ∙ Reproducible on ppc64el
- Not considered

news

[rss feed]

[2026-02-01] Accepted avahi 0.8-18 (source) into unstable (Michael Biebl)
[2025-09-11] avahi 0.8-17 MIGRATED to testing (Debian testing watch)
[2025-09-09] Accepted avahi 0.8-17 (source) into unstable (Simon McVittie)
[2025-01-10] avahi 0.8-16 MIGRATED to testing (Debian testing watch)
[2025-01-04] Accepted avahi 0.8-16 (source) into unstable (Michael Biebl)
[2025-01-04] Accepted avahi 0.8-10+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-12-10] avahi 0.8-15 MIGRATED to testing (Debian testing watch)
[2024-12-09] Accepted avahi 0.8-5+deb11u3 (source) into oldstable-security (Adrian Bunk)
[2024-12-04] Accepted avahi 0.8-15 (source) into unstable (Michael Biebl)
[2024-11-30] Accepted avahi 0.8-14 (source) into unstable (Michael Biebl)
[2023-11-13] avahi 0.8-13 MIGRATED to testing (Debian testing watch)
[2023-11-07] Accepted avahi 0.8-13 (source) into unstable (Simon McVittie)
[2023-10-25] avahi 0.8-12 MIGRATED to testing (Debian testing watch)
[2023-10-25] avahi 0.8-12 MIGRATED to testing (Debian testing watch)
[2023-10-20] Accepted avahi 0.8-12 (source) into unstable (Simon McVittie)
[2023-09-15] avahi 0.8-11 MIGRATED to testing (Debian testing watch)
[2023-09-07] Accepted avahi 0.8-11 (source) into unstable (Michael Biebl)
[2023-06-21] Accepted avahi 0.7-4+deb10u3 (source) into oldoldstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-05-02] Accepted avahi 0.7-4+deb10u2 (source amd64 all) into oldstable (Chris Lamb)
[2023-04-24] avahi 0.8-10 MIGRATED to testing (Debian testing watch)
[2023-04-19] Accepted avahi 0.8-10 (source) into unstable (Michael Biebl)
[2023-03-01] avahi 0.8-9 MIGRATED to testing (Debian testing watch)
[2023-02-18] Accepted avahi 0.8-9 (source) into unstable (Michael Biebl)
[2023-02-12] Accepted avahi 0.8-5+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Michael Biebl)
[2023-02-10] avahi 0.8-8 MIGRATED to testing (Debian testing watch)
[2023-02-05] Accepted avahi 0.8-8 (source) into unstable (Michael Biebl)
[2023-01-16] avahi 0.8-7 MIGRATED to testing (Debian testing watch)
[2023-01-10] Accepted avahi 0.8-7 (source) into unstable (Michael Biebl)
[2022-08-28] Accepted avahi 0.8-5+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters)
[2022-06-11] avahi 0.8-6 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 50 51
RC: 0
I&N: 41
M&W: 9 10
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (-, 81)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.8-17ubuntu2
164 bugs (5 patches)
patches for 0.8-17ubuntu2