c-ares
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | A C library for asynchronous DNS requests |
| Version | 1.28.1-1 [extra] |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-2268 | 1.17.1-1 | 1.17.2-1 | Medium | Fixed | |
| AVG-1280 | 1.16.1-2 | 1.17.1-1 | Medium | Fixed | |
| AVG-315 | 1.12.0-1 | 1.13.0-1 | Medium | Fixed | |
| AVG-37 | 1.11.0-1 | 1.12.0-1 | High | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-3672 | AVG-2268 | Medium | Yes | Insufficient validation | Missing input validation of host names returned by Domain Name Servers in the c-ares library before version 1.17.2 can lead to output of wrong hostnames... |
| CVE-2020-8277 | AVG-1280 | Medium | Yes | Denial of service | An application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to... |
| CVE-2017-1000381 | AVG-315 | Medium | Yes | Information disclosure | A out-of-bounds read has been found in c-ares < 1.13.0. The ares_parse_naptr_reply() function, which is used for parsing NAPTR responses, could be triggered... |
| CVE-2016-5180 | AVG-37 | High | Yes | Arbitrary code execution | When a string is passed in to ares_create_query or ares_mkquery and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong... |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 10 Aug 2021 | ASA-202108-13 | AVG-2268 | Medium | insufficient validation |
| 19 Nov 2020 | ASA-202011-18 | AVG-1280 | Medium | denial of service |
| 18 Jul 2017 | ASA-201707-21 | AVG-315 | Medium | information disclosure |
| 30 Sep 2016 | ASA-201609-31 | AVG-37 | High | arbitrary code execution |