* [Buildroot] [PATCH 1/1] package/c-ares: security bump to version 1.17.0
@ 2020-11-17 7:10 Fabrice Fontaine
2020-11-17 19:58 ` Peter Korsgaard
2020-12-06 22:20 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2020-11-17 7:10 UTC (permalink / raw)
To: buildroot
- avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
fuzzing
- Avoid theoretical buffer overflow in RC4 loop comparison
- Empty hquery->name could lead to invalid memory access
- ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
passed in
https://c-ares.haxx.se/changelog.html#1_17_0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/c-ares/c-ares.hash | 2 +-
package/c-ares/c-ares.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/c-ares/c-ares.hash b/package/c-ares/c-ares.hash
index 04a87402e9..a24f3d72ea 100644
--- a/package/c-ares/c-ares.hash
+++ b/package/c-ares/c-ares.hash
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
-sha256 d08312d0ecc3bd48eee0a4cc0d2137c9f194e0a28de2028928c0f6cae85f86ce c-ares-1.16.1.tar.gz
+sha256 1cecd5dbe21306c7263f8649aa6e9a37aecb985995a3489f487d98df2b40757d c-ares-1.17.0.tar.gz
# Hash for license file
sha256 db4eb63fe09daebdf57d3f79b091bb5ee5070c0d761040e83264e648d307af4c LICENSE.md
diff --git a/package/c-ares/c-ares.mk b/package/c-ares/c-ares.mk
index f07a7e566f..d3510b3c81 100644
--- a/package/c-ares/c-ares.mk
+++ b/package/c-ares/c-ares.mk
@@ -4,7 +4,7 @@
#
################################################################################
-C_ARES_VERSION = 1.16.1
+C_ARES_VERSION = 1.17.0
C_ARES_SITE = http://c-ares.haxx.se/download
C_ARES_INSTALL_STAGING = YES
C_ARES_CONF_OPTS = --with-random=/dev/urandom
--
2.29.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/c-ares: security bump to version 1.17.0
2020-11-17 7:10 [Buildroot] [PATCH 1/1] package/c-ares: security bump to version 1.17.0 Fabrice Fontaine
@ 2020-11-17 19:58 ` Peter Korsgaard
2020-12-06 22:20 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-11-17 19:58 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
> fuzzing
> - Avoid theoretical buffer overflow in RC4 loop comparison
> - Empty hquery->name could lead to invalid memory access
> - ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
> passed in
> https://c-ares.haxx.se/changelog.html#1_17_0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/c-ares: security bump to version 1.17.0
2020-11-17 7:10 [Buildroot] [PATCH 1/1] package/c-ares: security bump to version 1.17.0 Fabrice Fontaine
2020-11-17 19:58 ` Peter Korsgaard
@ 2020-12-06 22:20 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2020-12-06 22:20 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
> fuzzing
> - Avoid theoretical buffer overflow in RC4 loop comparison
> - Empty hquery->name could lead to invalid memory access
> - ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
> passed in
> https://c-ares.haxx.se/changelog.html#1_17_0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2020.02.x and 2020.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-06 22:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-17 7:10 [Buildroot] [PATCH 1/1] package/c-ares: security bump to version 1.17.0 Fabrice Fontaine
2020-11-17 19:58 ` Peter Korsgaard
2020-12-06 22:20 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox