[SECURITY] [DLA 3471-1] c-ares security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3471-1] c-ares security update
From: Anton Gladky <gladk@debian.org>
Date: Mon, 26 Jun 2023 21:47:35 +0200
Message-id: <[🔎] 20230626194735.468674A023B@localhost.localdomain>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3471-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Anton Gladky
June 26, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : c-ares
Version        : 1.14.0-1+deb10u3
CVE ID         : CVE-2023-31130 CVE-2023-32067

Two vunerabilities were discovered in c-ares, an asynchronous name
resolver library:

CVE-2023-31130

    ares_inet_net_pton() is found to be vulnerable to a buffer underflow
    for certain ipv6 addresses, in particular "0::00:00:00/2" was found
    to cause an issue. c-ares only uses this function internally for
    configuration purposes, however external usage for other purposes may
    cause more severe issues.

CVE-2023-32067

    Target resolver may erroneously interprets a malformed UDP packet
    with a length of 0 as a graceful shutdown of the connection, which
    could cause a denial of service.

For Debian 10 buster, these problems have been fixed in version
1.14.0-1+deb10u3.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/c-ares

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmSZ61QACgkQ0+Fzg8+n
/wb82hAAmK/VnXYGgePdz6nDLPP+Zz/+VfykeDdOt6Ru2KL0fkuGWTtxDwRJ6R/O
yopEG3Ws68vapseQd8aQdwkDbmhEOmxcEqfvbVj0DTx5uu70Dg/jxEACDcnFwN2V
wUPt2PoJj5Qy20gF1G4kEFzKg8u6W0m+fCXf9mWAyF0+0cir9aXobCS7AbDmiweO
9QEAY5ybJdytKiFA7fYNm63j8LCTgny5emDmXeEyFUd8500poel9UbMVmglUSton
Qdl2EbnvHx1BZ9WK++4KKQZbn5at/N+2ldl8oefDOnHuyIc3QZh1KXjahkrU6q9X
LKTJTN3PiQj1NXOt5NHkjfeefk5Ofe/1mLlbaZ7QAYKAyOn8NQMpMEY+oIb9T2UO
yKkUt958KvAmPZzwLFfDFzU04VgX1xygiLhpQvYJoPNCgqrBlqsaff35EbAdEzJb
W46qGmpIn2Uy9qbEWGgyWBg6moYEA0LF8CK4JMEPA6Cyh4Ka7nfGpfqCGkN5C8Xb
IgyiQf9+oCh+IK9p3YLv+4lIt5Y84LYxYooqdPJPceJxlbEgYNIxQpydqtNAnWie
o/LIyDLSI0hhDs9N9D0vmeyETl+vUOmKUjUmnp3R3G844svK18MahXbudMxFk44f
EyMTVFRz4WexiyHa32MuApIBUHAdSu70vTvLIivinIgIrMyoMCo=
=LIQi
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3472-1] libx11 security update
Next by Date: [SECURITY] [DLA 3473-1] docker-registry security update
Previous by thread: [SECURITY] [DLA 3472-1] libx11 security update
Next by thread: [SECURITY] [DLA 3473-1] docker-registry security update
Index(es):
- Date
- Thread