Opened 8 months ago

Closed 8 months ago

#14255 closed enhancement (fixed)

c-ares-1.17.1

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (10)

comment:2 by Xi Ruoyao, 8 months ago

We can download those two files from GitHub, or wait for next release.

comment:3 by Bruce Dubbs, 8 months ago

Summary: c-ares-1.17.0c-ares-1.17.0 (Wait for 1.17.1)

It sounds like a new release is coming soon. Let's wait for that.

comment:4 by Douglas R. Reno, 8 months ago

I'll check later on today. This version has four security fixes in it, at least one of them rated as high with no user intervention required to exploit. The node.js update is related.

comment:5 by Douglas R. Reno, 8 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:6 by Douglas R. Reno, 8 months ago

I did poke upstream on this about half an hour ago. The purpose of Node.JS-14.15.1 is:

Commits

    [1fd2c8142b] - deps: cherry-pick 0d252eb from upstream c-ares (Michael Dawson) nodejs-private/node-private#231

There isn't a reason for us to update Node.JS until this is updated because we use the system version of c-ares. Those two really should go in at the same time.

comment:7 by Douglas R. Reno, 8 months ago

Summary: c-ares-1.17.0 (Wait for 1.17.1)c-ares-1.17.1

Now 1.17.1!

comment:8 by Douglas R. Reno, 8 months ago

 c-ares version 1.17.1 - Nov 19 2020

Fixes packaging issues in 1.17.0.

c-ares version 1.17.0 - Nov 16 2020

Security:

    avoid read-heap-buffer-overflow in ares_parse_soa_reply found during fuzzing
    Avoid theoretical buffer overflow in RC4 loop comparison
    Empty hquery->name could lead to invalid memory access
    ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was passed in 

Changes:

    Update help information for adig, acountry, and ahost
    Test Suite now uses dynamic system-assigned ports rather than hardcoded ports to prevent failures in containers
    Detect remote DNS server does not support EDNS using rules from RFC 6891
    Source tree has been reorganized to use a more modern layout
    Allow parsing of CAA Resource Record 

Bug fixes:

    readaddrinfo bad sizeof()
    Test cases should honor HAVE_WRITEV flag, not depend on WIN32
    FQDN with trailing period should be queried first
    ares_getaddrinfo() was returning members of the struct as garbage values if unset, and was not honoring ai_socktype and ai_protocol hints.
    ares_gethostbyname() with AF_UNSPEC and an ip address would fail
    Properly document ares_set_local_ip4() uses host byte order 

comment:9 by Douglas R. Reno, 8 months ago

Priority: normalhigh

Marked as high due to four security vulnerabilities

comment:10 by Douglas R. Reno, 8 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r14252

Note: See TracTickets for help on using tickets.