Opened 3 years ago
Closed 3 years ago
#15374 closed enhancement (fixed)
c-ares-1.17.2
| Reported by: | Douglas R. Reno | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Security release
Change History (3)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commit 6e1270bed03869c8f737801407127088000c2612
Package updates.
Update to SDL2-2.0.16.
Update to NetworkManager-1.32.8.
Update to libjpeg-turbo-2.1.1.
Update to c-ares-1.17.2.
Note:
See TracTickets
for help on using tickets.
CVE-2021-3672
Missing input validation on hostnames returned by DNS servers ============================================================= Project c-ares Security Advisory, August 10, 2021 - [Permalink](https://c-ares.haxx.se/adv_20210810.html) VULNERABILITY ------------- Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-3672 to this issue. STEPS TO REPRODUCE ------------------ An example domain which has a cname including a zero byte: ``` $ adig cnamezero.test2.xdi-attack.net Answers: cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\000.test2.xdi-attack.net. victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 0 A 141.12.174.88 ``` When resolved via a vulnerable implementation, the CNAME alias and name of the A record will seem to be `victim.test2.xdi-attack.net` instead of `victim.test2.xdi-attack.net\000.test2.xdi-attack.net`, a totally different domain. This is a clear error in zero-byte handling and can potentially lead to DNS-cache injections in case an application implements a cache based on the library. AFFECTED VERSIONS ----------------- This flaw exists in the following c-ares versions. - Affected versions: c-ares 1.0.0 to and including 1.17.1 - Not affected versions: c-ares >= 1.17.2 THE SOLUTION ------------ In version 1.17.2, the function has been corrected and a test case have been added to verify. A [patch for CVE-2021-3672](https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade c-ares to version 1.17.2 B - Apply the patch to your version and rebuild TIME LINE --------- It was reported to the c-ares project on June 11, 2021 by Philipp Jeitner and Haya Shulman, Fraunhofer SIT. c-ares 1.17.2 was released on August 10 2021, coordinated with the publication of this advisory. CREDITS ------- Thanks to Philipp Jeitner and Haya Shulman, Fraunhofer SIT for the report. -- / daniel.haxx.se