system/c-ares: CVE-2020-8277: ares_parse_{a,aaaa}_reply could return larger *naddrttls than passed in
Bugzilla ID | 377 |
Alias(es) | CVE-2020-8277 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-11-21 22:50:08 -0600 |
Modified | 2020-11-21 22:50:08 -0600 |
Status | UNCONFIRMED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | user/c-ares |
URL | https://nvd.nist.gov/vuln/detail/CVE-2020-8277 |
Description
Fixed in >= 1.17.0 https://github.com/c-ares/c-ares/commit/0d252eb3b2147179296a3bdb4ef97883c97c54d3
This issue was also addressed in bundled c-ares in node.js. We do not use bundled c-ares there at this time, however we are on an unsupported branch of node now https://nodejs.org/en/blog/vulnerability/november-2020-security-releases/#denial-of-service-through-dns-request-cve-2020-8277