CVE-2016-5180

Heap-based buffer overflow in the arescreatequery function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

References

Affected packages

Alpine:v3.2 / c-ares

Package

Name: c-ares
Purl: pkg:apk/alpine/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-r0

Affected versions

1.*

1.6.0-r0

1.6.0-r1

1.7.0-r0

1.7.0-r1

1.7.3-r0

1.7.4-r0

1.7.4-r1

1.7.4-r2

1.7.5-r0

1.8.0-r0

1.9.0-r0

1.9.1-r0

1.10.0-r0

1.10.0-r1

Alpine:v3.3 / c-ares

Package

Name: c-ares
Purl: pkg:apk/alpine/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-r0

Affected versions

1.*

1.6.0-r0

1.6.0-r1

1.7.0-r0

1.7.0-r1

1.7.3-r0

1.7.4-r0

1.7.4-r1

1.7.4-r2

1.7.5-r0

1.8.0-r0

1.9.0-r0

1.9.1-r0

1.10.0-r0

1.10.0-r1

Alpine:v3.4 / c-ares

Package

Name: c-ares
Purl: pkg:apk/alpine/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-r0

Affected versions

1.*

1.6.0-r0

1.6.0-r1

1.7.0-r0

1.7.0-r1

1.7.3-r0

1.7.4-r0

1.7.4-r1

1.7.4-r2

1.7.5-r0

1.8.0-r0

1.9.0-r0

1.9.1-r0

1.10.0-r0

1.10.0-r1

1.11.0-r0

Alpine:v3.5 / c-ares

Package

Name: c-ares
Purl: pkg:apk/alpine/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-r0

Affected versions

1.*

1.6.0-r0

1.6.0-r1

1.7.0-r0

1.7.0-r1

1.7.3-r0

1.7.4-r0

1.7.4-r1

1.7.4-r2

1.7.5-r0

1.8.0-r0

1.9.0-r0

1.9.1-r0

1.10.0-r0

1.10.0-r1

1.11.0-r0

Alpine:v3.6 / c-ares

Package

Name: c-ares
Purl: pkg:apk/alpine/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-r0

Affected versions

1.*

1.6.0-r0

1.6.0-r1

1.7.0-r0

1.7.0-r1

1.7.3-r0

1.7.4-r0

1.7.4-r1

1.7.4-r2

1.7.5-r0

1.8.0-r0

1.9.0-r0

1.9.1-r0

1.10.0-r0

1.10.0-r1

1.11.0-r0

Alpine:v3.6 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.8.0-r0

Affected versions

4.*

4.4.3-r0

4.4.4-r0

4.4.5-r0

4.4.7-r0

4.5.0-r0

Debian:11 / c-ares

Package

Name: c-ares
Purl: pkg:deb/debian/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-1

Ecosystem specific

{
    "urgency": "medium"
}

Debian:12 / c-ares

Package

Name: c-ares
Purl: pkg:deb/debian/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-1

Ecosystem specific

{
    "urgency": "medium"
}

Debian:13 / c-ares

Package

Name: c-ares
Purl: pkg:deb/debian/c-ares?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.0-1

Ecosystem specific

{
    "urgency": "medium"
}

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

163ca274230fce536afe76c64676c332693ad7c1

Fixed

262dd62a9248d7021966a9d00cd6632ea1f087bc

Affected versions

v0.*

v0.10.0

v0.10.1

v0.10.10

v0.10.11

v0.10.12

v0.10.13

v0.10.14

v0.10.15

v0.10.16

v0.10.17

v0.10.18

v0.10.19

v0.10.2

v0.10.20

v0.10.21

v0.10.22

v0.10.23

v0.10.24

v0.10.25

v0.10.26

v0.10.27

v0.10.28

v0.10.29

v0.10.3

v0.10.30

v0.10.31

v0.10.32

v0.10.33

v0.10.34

v0.10.35

v0.10.36

v0.10.37

v0.10.38

v0.10.39

v0.10.4

v0.10.40

v0.10.41

v0.10.42

v0.10.43

v0.10.44

v0.10.45

v0.10.46

v0.10.47

v0.10.5

v0.10.6

v0.10.7

v0.10.8

v0.10.9