Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Debian: DSA-5419-1 Critical: c-ares Buffer Underflow and DoS

debian
Calendar Grey June 7, 2023
Debian Logo
Recent patch addresses two security flaws in c-ares library, affecting UDP message processing and potential buffer underflow issues. Urgent upgrade advised.
Two vunerabilities were discovered in c-ares, an asynchronous name resolver library: CVE-2023-31130
Topics%20covered

Topics Covered

security advisory denial of service critical debian buffer underflow

Summary

CVE-2023-31130

ares_inet_net_pton() is found to be vulnerable to a buffer underflow
for certain ipv6 addresses, in particular "0::00:00:00/2" was found
to cause an issue. c-ares only uses this function internally for
configuration purposes, however external usage for other purposes may
cause more severe issues.

CVE-2023-32067

Target resolver may erroneously interprets a malformed UDP packet
with a lenght of 0 as a graceful shutdown of the connection, which
could cause a denial of service.

For the stable distribution (bullseye), these problems have been fixed in
version 1.17.1-1+deb11u3.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/c-ares

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



Severity
critical
Lowest
Low
Medium
High
Critical

Package: c-ares
CVE ID: CVE-2023-31130 CVE-2023-32067

Topics%20covered

Topics Covered

security advisory denial of service critical debian buffer underflow

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here