Skip to content

GitLab

Open
Created by Emily@emily🤖

CVE-2020-8277: user/c-ares: ares_parse_{a,aaaa}_reply could return larger *naddrttls than passed in
Bugzilla ID 377
Alias(es) CVE-2020-8277
Reporter Max Rees (sroracle)
Assignee Max Rees (sroracle)
Reported 2020-11-21 22:50:08 -0600
Modified 2020-11-21 22:50:08 -0600
Status UNCONFIRMED
Version 1.0-RC1
Hardware Adélie Linux / All
Importance --- / normal
Package(s) user/c-ares
URL https://nvd.nist.gov/vuln/detail/CVE-2020-8277

Description

Fixed in >= 1.17.0 https://github.com/c-ares/c-ares/commit/0d252eb3b2147179296a3bdb4ef97883c97c54d3

This issue was also addressed in bundled c-ares in node.js. We do not use bundled c-ares there at this time, however we are on an unsupported branch of node now https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277