Debian 10261 Published by

A c-ares security update has been released for Debian GNU/Linux 9 Extended LTS to address missing input string checks.



ELA-800-1 c-ares security update

Package : c-ares
Version : 1.10.0-2+deb8u4 (jessie), 1.12.0-1+deb9u3 (stretch)

Related CVEs :
CVE-2022-4904

It was discovered that in c-ares, an asynchronous name resolver library, the config_sortlist function is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow and thus may cause a denial of service.

  ELA-800-1 c-ares security update