[Buildroot] [PATCH 1/3] package/c-ares: security bump to version 1.17.2
Peter Korsgaard
peter at korsgaard.com
Tue Sep 7 13:54:03 UTC 2021
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> - NodeJS passes NULL for addr and 0 for addrlen to
> ares_parse_ptr_reply() on systems where malloc(0) returns NULL. This
> would cause a crash.
> - If ares_getaddrinfo() was terminated by an ares_destroy(), it would
> cause a crash
> - Crash in sortaddrinfo() if the list size equals 0 due to an unexpected
> DNS response
> - Expand number of escaped characters in DNS replies as per RFC1035 5.1
> to prevent spoofing follow-up
> - Perform validation on hostnames to prevent possible XSS due to
> applications not performing valiation themselves
> https://c-ares.haxx.se/changelog.html#1_17_2
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2021.02.x and 2021.05.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list