First published: Wed Feb 17 2021(Updated: )
avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Avahi Avahi | <=0.8-4 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
debian/avahi | 0.8-5+deb11u2 0.8-10 0.8-13 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-26720 is a vulnerability in the avahi package in Debian that allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon.
CVE-2021-26720 has a severity value of 7.8 (High).
CVE-2021-26720 affects avahi packages through version 0.8-4.
To fix CVE-2021-26720, upgrade to avahi package version 0.8-5+deb11u2 or later.
You can find more information about CVE-2021-26720 on the Openwall website and the Debian security tracker.