avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.
The product does not properly verify that the source of data or communication is valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Avahi | Avahi | * | 0.6.32 (including) |
| Avahi | Avahi | 0.7 (including) | 0.7 (including) |
| Red Hat Enterprise Linux 7 | RedHat | avahi-0:0.6.31-20.el7 | * |
| Avahi | Ubuntu | artful | * |
| Avahi | Ubuntu | bionic | * |
| Avahi | Ubuntu | cosmic | * |
| Avahi | Ubuntu | devel | * |
| Avahi | Ubuntu | precise | * |
| Avahi | Ubuntu | trusty | * |
| Avahi | Ubuntu | upstream | * |
| Avahi | Ubuntu | vivid/stable-phone-overlay | * |
| Avahi | Ubuntu | xenial | * |
| Avahi | Ubuntu | yakkety | * |
| Avahi | Ubuntu | zesty | * |