[Bug 291860] net/avahi-app: vulnerable to CVE-2025-59529

Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 291860] net/avahi-app: vulnerable to CVE-2025-59529"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 21 Dec 2025 17:43:30 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291860

            Bug ID: 291860
           Summary: net/avahi-app: vulnerable to CVE-2025-59529
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: desktop@FreeBSD.org
          Reporter: polarian@polarian.dev
          Assignee: desktop@FreeBSD.org
             Flags: maintainer-feedback?(desktop@FreeBSD.org)

Created attachment 266434
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=266434&action=edit
vuxml

0.8 is vulerable to:

CVE-2025-59529 - simple protocol server ignores the documented client limit and
accepts unlimited connections, allowing for easy local DoS

For more information please read:
https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q

However, `0.9` has not been released yet, and the only patched version is
`0.9-rc2`.

The patch could be cherry picked and applied to the port, however due to this
being a moderate cve which is local-only, and is a denial of service, it really
doesn't seem to be a big deal.

Nethertheless, I have created an issue to track this. I have also attached a
vuxml for the CVE.

-- 
You are receiving this mail because:
You are the assignee for the bug.