DLA-3567-1

Source
https://storage.googleapis.com/debian-osv/dla-osv/DLA-3567-1.json
Published
2023-09-15T00:00:00Z
Modified
2023-09-15T10:29:32.584525Z
Details

A vulnerability has been identified in c-ares, an asynchronous name resolver library:

  • CVE-2020-22217:

    A buffer overflow vulnerability has been found in c-ares before via the function ares_parse_soa_reply in ares_parse_soa_reply.c. This vulnerability was discovered through fuzzing. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition.

For Debian 10 buster, this problem has been fixed in version 1.14.0-1+deb10u4.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

Affected packages

Debian:10 / c-ares

Source Details

Package Name
c-ares

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.14.0-1+deb10u4

Affected versions

1.*

1.14.0-1
1.14.0-1+deb10u1
1.14.0-1+deb10u2
1.14.0-1+deb10u3