[Buildroot] [PATCH 1/3] package/c-ares: security bump to version 1.17.2

Peter Korsgaard peter at korsgaard.com
Tue Sep 7 13:54:03 UTC 2021


>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:

 > - NodeJS passes NULL for addr and 0 for addrlen to
 >   ares_parse_ptr_reply() on systems where malloc(0) returns NULL. This
 >   would cause a crash.
 > - If ares_getaddrinfo() was terminated by an ares_destroy(), it would
 >   cause a crash
 > - Crash in sortaddrinfo() if the list size equals 0 due to an unexpected
 >   DNS response
 > - Expand number of escaped characters in DNS replies as per RFC1035 5.1
 >   to prevent spoofing follow-up
 > - Perform validation on hostnames to prevent possible XSS due to
 >   applications not performing valiation themselves

 > https://c-ares.haxx.se/changelog.html#1_17_2

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>

Committed to 2021.02.x and 2021.05.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list