c-ares-devel-1.17.2-2.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10668-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z c-ares-devel-1.17.2-2.2 on GA media These are all security issues fixed in the c-ares-devel-1.17.2-2.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10668 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-1000381/ SUSE CVE CVE-2017-1000381 page https://www.suse.com/security/cve/CVE-2020-8277/ SUSE CVE CVE-2020-8277 page https://www.suse.com/security/cve/CVE-2021-3672/ SUSE CVE CVE-2021-3672 page openSUSE Tumbleweed c-ares-devel-1.17.2-2.2 c-ares-utils-1.17.2-2.2 libcares2-1.17.2-2.2 libcares2-32bit-1.17.2-2.2 c-ares-devel-1.17.2-2.2 as a component of openSUSE Tumbleweed c-ares-utils-1.17.2-2.2 as a component of openSUSE Tumbleweed libcares2-1.17.2-2.2 as a component of openSUSE Tumbleweed libcares2-32bit-1.17.2-2.2 as a component of openSUSE Tumbleweed The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. CVE-2017-1000381 openSUSE Tumbleweed:c-ares-devel-1.17.2-2.2 openSUSE Tumbleweed:c-ares-utils-1.17.2-2.2 openSUSE Tumbleweed:libcares2-1.17.2-2.2 openSUSE Tumbleweed:libcares2-32bit-1.17.2-2.2 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000381.html CVE-2017-1000381 https://bugzilla.suse.com/1044946 SUSE Bug 1044946 A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1. CVE-2020-8277 openSUSE Tumbleweed:c-ares-devel-1.17.2-2.2 openSUSE Tumbleweed:c-ares-utils-1.17.2-2.2 openSUSE Tumbleweed:libcares2-1.17.2-2.2 openSUSE Tumbleweed:libcares2-32bit-1.17.2-2.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8277.html CVE-2020-8277 https://bugzilla.suse.com/1178882 SUSE Bug 1178882 A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. CVE-2021-3672 openSUSE Tumbleweed:c-ares-devel-1.17.2-2.2 openSUSE Tumbleweed:c-ares-utils-1.17.2-2.2 openSUSE Tumbleweed:libcares2-1.17.2-2.2 openSUSE Tumbleweed:libcares2-32bit-1.17.2-2.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3672.html CVE-2021-3672 https://bugzilla.suse.com/1188881 SUSE Bug 1188881 https://bugzilla.suse.com/1193099 SUSE Bug 1193099