* [Buildroot] [PATCH] package/c-ares: security bump to version 1.19.1
@ 2023-06-19 14:36 Peter Korsgaard
2023-06-19 19:34 ` Arnout Vandecappelle via buildroot
2023-07-06 11:32 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-06-19 14:36 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
- CVE-2023-32067: High. 0-byte UDP payload causes Denial of Service
- CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS
query IDs
- CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
- CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during
cross compilation
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/c-ares/c-ares.hash | 2 +-
package/c-ares/c-ares.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/c-ares/c-ares.hash b/package/c-ares/c-ares.hash
index edf891674b..3e1573f2cf 100644
--- a/package/c-ares/c-ares.hash
+++ b/package/c-ares/c-ares.hash
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
-sha256 bfceba37e23fd531293829002cac0401ef49a6dc55923f7f92236585b7ad1dd3 c-ares-1.19.0.tar.gz
+sha256 321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e c-ares-1.19.1.tar.gz
# Hash for license file
sha256 db4eb63fe09daebdf57d3f79b091bb5ee5070c0d761040e83264e648d307af4c LICENSE.md
diff --git a/package/c-ares/c-ares.mk b/package/c-ares/c-ares.mk
index 4332fc6919..46b8acd673 100644
--- a/package/c-ares/c-ares.mk
+++ b/package/c-ares/c-ares.mk
@@ -4,7 +4,7 @@
#
################################################################################
-C_ARES_VERSION = 1.19.0
+C_ARES_VERSION = 1.19.1
C_ARES_SITE = http://c-ares.haxx.se/download
C_ARES_INSTALL_STAGING = YES
C_ARES_CONF_OPTS = --with-random=/dev/urandom
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/c-ares: security bump to version 1.19.1
2023-06-19 14:36 [Buildroot] [PATCH] package/c-ares: security bump to version 1.19.1 Peter Korsgaard
@ 2023-06-19 19:34 ` Arnout Vandecappelle via buildroot
2023-07-06 11:32 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-19 19:34 UTC (permalink / raw)
To: Peter Korsgaard, buildroot
On 19/06/2023 16:36, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> - CVE-2023-32067: High. 0-byte UDP payload causes Denial of Service
> - CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS
> query IDs
> - CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
> - CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during
> cross compilation
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/c-ares/c-ares.hash | 2 +-
> package/c-ares/c-ares.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/c-ares/c-ares.hash b/package/c-ares/c-ares.hash
> index edf891674b..3e1573f2cf 100644
> --- a/package/c-ares/c-ares.hash
> +++ b/package/c-ares/c-ares.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -sha256 bfceba37e23fd531293829002cac0401ef49a6dc55923f7f92236585b7ad1dd3 c-ares-1.19.0.tar.gz
> +sha256 321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e c-ares-1.19.1.tar.gz
>
> # Hash for license file
> sha256 db4eb63fe09daebdf57d3f79b091bb5ee5070c0d761040e83264e648d307af4c LICENSE.md
> diff --git a/package/c-ares/c-ares.mk b/package/c-ares/c-ares.mk
> index 4332fc6919..46b8acd673 100644
> --- a/package/c-ares/c-ares.mk
> +++ b/package/c-ares/c-ares.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -C_ARES_VERSION = 1.19.0
> +C_ARES_VERSION = 1.19.1
> C_ARES_SITE = http://c-ares.haxx.se/download
> C_ARES_INSTALL_STAGING = YES
> C_ARES_CONF_OPTS = --with-random=/dev/urandom
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/c-ares: security bump to version 1.19.1
2023-06-19 14:36 [Buildroot] [PATCH] package/c-ares: security bump to version 1.19.1 Peter Korsgaard
2023-06-19 19:34 ` Arnout Vandecappelle via buildroot
@ 2023-07-06 11:32 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-07-06 11:32 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2023-32067: High. 0-byte UDP payload causes Denial of Service
> - CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS
> query IDs
> - CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
> - CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during
> cross compilation
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-07-06 11:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-19 14:36 [Buildroot] [PATCH] package/c-ares: security bump to version 1.19.1 Peter Korsgaard
2023-06-19 19:34 ` Arnout Vandecappelle via buildroot
2023-07-06 11:32 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox