Описание
Security update for c-ares
This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:
- CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
- If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
- Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
- Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
- Use unbuffered /dev/urandom for random data to prevent early startup performance issues
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.2
c-ares-devel-1.17.1+20200724-lp152.2.9.1
c-ares-utils-1.17.1+20200724-lp152.2.9.1
libcares2-1.17.1+20200724-lp152.2.9.1
libcares2-32bit-1.17.1+20200724-lp152.2.9.1
Ссылки
- E-Mail link for openSUSE-SU-2021:1168-1
- SUSE Security Ratings
- SUSE Bug 1188881
- SUSE CVE CVE-2021-3672 page
Описание
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
Затронутые продукты
openSUSE Leap 15.2:c-ares-devel-1.17.1+20200724-lp152.2.9.1
openSUSE Leap 15.2:c-ares-utils-1.17.1+20200724-lp152.2.9.1
openSUSE Leap 15.2:libcares2-1.17.1+20200724-lp152.2.9.1
openSUSE Leap 15.2:libcares2-32bit-1.17.1+20200724-lp152.2.9.1
Ссылки
- CVE-2021-3672
- SUSE Bug 1188881
- SUSE Bug 1193099