DLA-3567-1

Source

https://storage.googleapis.com/debian-osv/dla-osv/DLA-3567-1.json

Published

2023-09-15T00:00:00Z

Modified

2023-09-15T10:29:32.584525Z

Details

A vulnerability has been identified in c-ares, an asynchronous name resolver library:

CVE-2020-22217:

A buffer overflow vulnerability has been found in c-ares before via the function ares_parse_soa_reply in ares_parse_soa_reply.c. This vulnerability was discovered through fuzzing. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition.

For Debian 10 buster, this problem has been fixed in version 1.14.0-1+deb10u4.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

https://www.debian.org/lts/security/2023/dla-3567

Affected packages

Debian:10 / c-ares

Source Details

Package Name: c-ares

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.14.0-1+deb10u4

Affected versions

1.*

1.14.0-1

1.14.0-1+deb10u1

1.14.0-1+deb10u2

1.14.0-1+deb10u3