Debian alert DLA-3471-1 (c-ares)
| From: | Anton Gladky <gladk@debian.org> | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 3471-1] c-ares security update | |
| Date: | Mon, 26 Jun 2023 21:47:35 +0200 | |
| Message-ID: | <20230626194735.468674A023B@localhost.localdomain> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3471-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 26, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : c-ares Version : 1.14.0-1+deb10u3 CVE ID : CVE-2023-31130 CVE-2023-32067 Two vunerabilities were discovered in c-ares, an asynchronous name resolver library: CVE-2023-31130 ares_inet_net_pton() is found to be vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. c-ares only uses this function internally for configuration purposes, however external usage for other purposes may cause more severe issues. CVE-2023-32067 Target resolver may erroneously interprets a malformed UDP packet with a length of 0 as a graceful shutdown of the connection, which could cause a denial of service. For Debian 10 buster, these problems have been fixed in version 1.14.0-1+deb10u3. We recommend that you upgrade your c-ares packages. For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmSZ61QACgkQ0+Fzg8+n /wb82hAAmK/VnXYGgePdz6nDLPP+Zz/+VfykeDdOt6Ru2KL0fkuGWTtxDwRJ6R/O yopEG3Ws68vapseQd8aQdwkDbmhEOmxcEqfvbVj0DTx5uu70Dg/jxEACDcnFwN2V wUPt2PoJj5Qy20gF1G4kEFzKg8u6W0m+fCXf9mWAyF0+0cir9aXobCS7AbDmiweO 9QEAY5ybJdytKiFA7fYNm63j8LCTgny5emDmXeEyFUd8500poel9UbMVmglUSton Qdl2EbnvHx1BZ9WK++4KKQZbn5at/N+2ldl8oefDOnHuyIc3QZh1KXjahkrU6q9X LKTJTN3PiQj1NXOt5NHkjfeefk5Ofe/1mLlbaZ7QAYKAyOn8NQMpMEY+oIb9T2UO yKkUt958KvAmPZzwLFfDFzU04VgX1xygiLhpQvYJoPNCgqrBlqsaff35EbAdEzJb W46qGmpIn2Uy9qbEWGgyWBg6moYEA0LF8CK4JMEPA6Cyh4Ka7nfGpfqCGkN5C8Xb IgyiQf9+oCh+IK9p3YLv+4lIt5Y84LYxYooqdPJPceJxlbEgYNIxQpydqtNAnWie o/LIyDLSI0hhDs9N9D0vmeyETl+vUOmKUjUmnp3R3G844svK18MahXbudMxFk44f EyMTVFRz4WexiyHa32MuApIBUHAdSu70vTvLIivinIgIrMyoMCo= =LIQi -----END PGP SIGNATURE-----