package/c-ares: security bump to version 1.17.2 (6be5219c) · Commits · Infra Solutions / Reference Design / platsw / buildroot

Commit 6be5219c authored Aug 28, 2021 by Fabrice Fontaine Committed by Yann E. MORIN Aug 29, 2021

package/c-ares: security bump to version 1.17.2

- NodeJS passes NULL for addr and 0 for addrlen to
  ares_parse_ptr_reply() on systems where malloc(0) returns NULL. This
  would cause a crash.
- If ares_getaddrinfo() was terminated by an ares_destroy(), it would
  cause a crash
- Crash in sortaddrinfo() if the list size equals 0 due to an unexpected
  DNS response
- Expand number of escaped characters in DNS replies as per RFC1035 5.1
  to prevent spoofing follow-up
- Perform validation on hostnames to prevent possible XSS due to
  applications not performing valiation themselves

https://c-ares.haxx.se/changelog.html#1_17_2



Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

parent ac2db5eb

Hide whitespace changes

Inline Side-by-side

Please register or to comment