Security update for c-ares SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1168-1 Final 1 1 2021-08-19T15:21:43Z current 2021-08-19T15:21:43Z 2021-08-19T15:21:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for c-ares This update for c-ares fixes the following issues: Version update to git snapshot 1.17.1+20200724: - CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881) - If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash - Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response - Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing - Use unbuffered /dev/urandom for random data to prevent early startup performance issues This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1168 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DGOSTA5JEGSS4FAXRRSGJYRZUQK3LXPV/ E-Mail link for openSUSE-SU-2021:1168-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188881 SUSE Bug 1188881 https://www.suse.com/security/cve/CVE-2021-3672/ SUSE CVE CVE-2021-3672 page openSUSE Leap 15.2 c-ares-devel-1.17.1+20200724-lp152.2.9.1 c-ares-utils-1.17.1+20200724-lp152.2.9.1 libcares2-1.17.1+20200724-lp152.2.9.1 libcares2-32bit-1.17.1+20200724-lp152.2.9.1 c-ares-devel-1.17.1+20200724-lp152.2.9.1 as a component of openSUSE Leap 15.2 c-ares-utils-1.17.1+20200724-lp152.2.9.1 as a component of openSUSE Leap 15.2 libcares2-1.17.1+20200724-lp152.2.9.1 as a component of openSUSE Leap 15.2 libcares2-32bit-1.17.1+20200724-lp152.2.9.1 as a component of openSUSE Leap 15.2 A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. CVE-2021-3672 openSUSE Leap 15.2:c-ares-devel-1.17.1+20200724-lp152.2.9.1 openSUSE Leap 15.2:c-ares-utils-1.17.1+20200724-lp152.2.9.1 openSUSE Leap 15.2:libcares2-1.17.1+20200724-lp152.2.9.1 openSUSE Leap 15.2:libcares2-32bit-1.17.1+20200724-lp152.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DGOSTA5JEGSS4FAXRRSGJYRZUQK3LXPV/ https://www.suse.com/security/cve/CVE-2021-3672.html CVE-2021-3672 https://bugzilla.suse.com/1188881 SUSE Bug 1188881 https://bugzilla.suse.com/1193099 SUSE Bug 1193099