Bug 29350 - c-ares new security issue CVE-2021-3672
Summary: c-ares new security issue CVE-2021-3672
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-10 15:51 CEST by David Walser
Modified: 2021-08-30 15:14 CEST (History)
2 users (show)

See Also:
Source RPM: c-ares-1.17.1-1.mga8.src.rpm
CVE: CVE-2021-3672
Status comment:


Attachments

Description David Walser 2021-08-10 15:51:31 CEST
Upstream has issued an advisory today (August 10):
https://c-ares.haxx.se/adv_20210810.html

The issue is fixed upstream in 1.17.2.

Mageia 8 is also affected.
David Walser 2021-08-10 15:51:49 CEST

Status comment: (none) => Fixed upstream in 1.17.2
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-08-10 15:55:04 CEST
Debian and Ubuntu have issued advisories for this today (August 10):
https://www.debian.org/security/2021/dsa-4954
https://ubuntu.com/security/notices/USN-5034-1

Summary: c-ares new security issue => c-ares new security issue CVE-2021-3672

Comment 2 Marja Van Waes 2021-08-10 19:52:16 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 3 David Walser 2021-08-18 16:27:31 CEST
openSUSE has issued an advisory for this today (August 18):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4F2ZKNNMGENSNMAS5CDHA3CDDRAXF3AQ/
Comment 4 David Walser 2021-08-18 16:34:11 CEST
Fedora has issued an advisory for this today (August 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KPERAVSVZ542L4S6OA2QPUXNAJ4F2M5X/

Severity: normal => major

Comment 5 Nicolas Salguero 2021-08-30 15:14:56 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Missing input validation on hostnames returned by DNS servers. (CVE-2021-3672)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672
https://c-ares.haxx.se/adv_20210810.html
https://www.debian.org/security/2021/dsa-4954
https://ubuntu.com/security/notices/USN-5034-1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4F2ZKNNMGENSNMAS5CDHA3CDDRAXF3AQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KPERAVSVZ542L4S6OA2QPUXNAJ4F2M5X/
========================

Updated packages in core/updates_testing:
========================
lib(64)cares2-1.17.1-1.1.mga8
lib(64)cares-devel-1.17.1-1.1.mga8

from SRPM:
c-ares-1.17.1-1.1.mga8.src.rpm

Status comment: Fixed upstream in 1.17.2 => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-3672
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero


Note You need to log in before you can comment on or make changes to this bug.