Описание
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
A vulnerability was found in c-ares. This issue occurs in the ares_inet_net_pton() function, which is vulnerable to a buffer underflow for certain ipv6 addresses. "0::00:00:00/2" in particular was found to cause an issue. C-ares only uses this function internally for configuration purposes, which would require an administrator to configure such an address via ares_set_sortlist().
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 7 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:4034 | 12.07.2023 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:4035 | 12.07.2023 |
| Red Hat Enterprise Linux 8 | c-ares | Fixed | RHSA-2023:7207 | 14.11.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | nodejs | Fixed | RHSA-2023:4033 | 12.07.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | c-ares | Fixed | RHSA-2023:7392 | 21.11.2023 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | c-ares | Fixed | RHSA-2023:7543 | 28.11.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:3577 | 14.06.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:3586 | 14.06.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.7 Medium
CVSS3
Связанные уязвимости
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vu ...
Уязвимость функции ares_inet_net_pton() библиотеки асинхронных DNS-запросов C-ares, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
EPSS
5.7 Medium
CVSS3