Package: avahi-daemon Version: 0.6.23-3 Severity: normal User: pkg-utopia-maintain...@lists.alioth.debian.org Usertags: fdo-18961
avahi-daemon's D-Bus system.d config should be updated to fix non-deterministic allow/deny for messages with no interface (related to CVE-2008-4311); the D-Bus upstream recommendation seems to be that every allow or deny rule with send_interface="..." should have a suitable send_destination attribute too. http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking this; there have also been discussions on the D-Bus mailing list. In this case, it appears it might also be possible to bypass the intended restriction on SetHostName by sending the method call with an empty interface name. Regards from the Cambridge BSP, Simon
signature.asc
Description: Digital signature