Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: c-ares #1375

Closed
dongsupark opened this issue Feb 26, 2024 · 1 comment
Closed

update: c-ares #1375

dongsupark opened this issue Feb 26, 2024 · 1 comment
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Feb 26, 2024
edited
Loading

Name: c-ares
CVEs: CVE-2024-25629
CVSSs: 4.4
Action Needed: update to >= 1.27.0

Summary: c-ares is a C library for asynchronous DNS requests. ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.27.0, the /etc/hosts file. If any of these configuration files has an embedded NULL character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.

See also https://seclists.org/oss-sec/2024/q1/157.

refmap.gentoo: https://bugs.gentoo.org/925661
@dongsupark dongsupark added security security concerns advisory security advisory labels Feb 26, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Feb 26, 2024
@github-actions github-actions bot mentioned this issue Mar 22, 2024
Closed
@dongsupark dongsupark added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Mar 25, 2024
@krnowak krnowak mentioned this issue Mar 26, 2024
Merged
2 tasks
@krnowak
Copy link
Member

krnowak commented Apr 8, 2024

This was fixed in flatcar/scripts#1788.

@krnowak krnowak closed this as completed Apr 8, 2024
@github-actions github-actions bot mentioned this issue Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krnowak @dongsupark