system/c-ares: CVE-2020-8277: ares_parse_{a,aaaa}_reply could return larger *naddrttls than passed in
| Bugzilla ID | 377 |
| Alias(es) | CVE-2020-8277 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-11-21 22:50:08 -0600 |
| Modified | 2020-11-21 22:50:08 -0600 |
| Status | UNCONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/c-ares |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-8277 |
Description
Fixed in >= 1.17.0 https://github.com/c-ares/c-ares/commit/0d252eb3b2147179296a3bdb4ef97883c97c54d3
This issue was also addressed in bundled c-ares in node.js. We do not use bundled c-ares there at this time, however we are on an unsupported branch of node now https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277