ELA-946-1 c-ares security update

buffer overflow

2023-09-15
Packagec-ares
Version1.10.0-2+deb8u7 (jessie), 1.12.0-1+deb9u6 (stretch)
Related CVEs CVE-2020-22217


A vulnerability has been identified in c-ares, an asynchronous name resolver library:

CVE-2020-22217

A buffer overflow vulnerability has been found in c-ares before
via the function ares_parse_soa_reply in ares_parse_soa_reply.c.
This vulnerability was discovered through fuzzing. Exploitation
of this vulnerability may allow an attacker to execute arbitrary
code or cause a denial of service condition.


For Debian 8 jessie, these problems have been fixed in version 1.10.0-2+deb8u7.

For Debian 9 stretch, these problems have been fixed in version 1.12.0-1+deb9u6.

We recommend that you upgrade your c-ares packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.