Your message dated Tue, 10 Aug 2021 11:03:27 +0000 with message-id <e1mdpxb-0002az...@fasolo.debian.org> and subject line Bug#992053: fixed in c-ares 1.17.1-1.1 has caused the Debian Bug report #992053, regarding c-ares: CVE-2021-3672: Missing input validation on hostnames returned by DNS servers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992053 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: c-ares Version: 1.17.1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.14.0-1 Control: fixed -1 1.14.0-1+deb10u1 Control: fixed -1 1.17.1-1+deb11u1 Hi, The following vulnerability was published for c-ares. CVE-2021-3672[0]: | Missing input validation on hostnames returned by DNS servers Respective bullseye-security and buster-security updates are preapred and as well a NMU for unstable. Will attach the debdiff shortly. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3672 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672 [1] https://c-ares.haxx.se/adv_20210810.html [2] https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 [3] https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: c-ares Source-Version: 1.17.1-1.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of c-ares, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 992...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated c-ares package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 07 Aug 2021 11:43:50 +0200 Source: c-ares Architecture: source Version: 1.17.1-1.1 Distribution: unstable Urgency: medium Maintainer: Gregor Jasny <gja...@googlemail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 992053 Changes: c-ares (1.17.1-1.1) unstable; urgency=medium . * Non-maintainer upload. * Missing input validation on hostnames returned by DNS servers (CVE-2021-3672) (Closes: #992053) - ares_expand_name() should escape more characters - ares_expand_name(): fix formatting and handling of root name response Checksums-Sha1: ae9d01a4640938cf1be2e6ee8c97f882d4fb168e 2277 c-ares_1.17.1-1.1.dsc 21211a710b8af6d5ac10dc5a2fad120774f550da 9932 c-ares_1.17.1-1.1.debian.tar.xz Checksums-Sha256: 672e1174eb176a5b60806d2b998ea10c1f2916f897e227a0a49f92b3f2b9dc64 2277 c-ares_1.17.1-1.1.dsc 7b5dc4da2bf6cfafeb44797b3a9e58dabe94ef79347cf0f5375aad5af1fc9683 9932 c-ares_1.17.1-1.1.debian.tar.xz Files: 4788fa6102cf9f47e3488eb444356074 2277 libs optional c-ares_1.17.1-1.1.dsc 250f4b58e3f34f0471b7a2ac59478f0b 9932 libs optional c-ares_1.17.1-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmESHeRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EvWcP/0tEBL0wTTxdHoTAlsVRNa4EZ62TVFej 7YL2QsYGwW0dc2yvxq7HYAvOdE6y0ee4CPEYJCOcLrhhftHmH3aF9+3Ih/z5N+r3 h1JGCD+5/ByzzzyLIls3mwhEEAKJcDO4NtYorOZynBvIP32XfOvyrujzP7+0xvUl AT6lokhUYHZrdhxNfx0hDyeMEOUSxp49H67wUYTN5Lh09G9y1faR8KojddIPHJ9P Eb81I+11xzOaZPx3S4/RjrNf1L/SD3cilCUGMN95OEJKm9DIUbFp5JrvWhDt1jnT rOkifrugDsv5vi2Tssxap46uc+aZKbBkIyDpzZ3pJTRlXbxaVT9yQY0GbLQjb1po 1Q37StO4TP8F6p4OaaZl1fh+Fe95IbLNxJgJVPh52xXxjrXHP4OzuNKLrpdL3Pqn Y3FNsob7VYJcqBh7sKS7wW1ltjz14WKec0j3cmkiHVLv+EhB7J83J0upkr7VrOkw gENnLyoizUP6r714FXyy/X3m4EDLPcXUJUGb4faSiedqczCqFAYaxVvwF+vhJspm Pq3eb0LVLqEp02Wv1xPJuxtfTHNHi7V6SI0A4vsbT1dmIZozAiUOMkEljnQ5YiTN ilhXZGzKiQAerkLEdLNEmGva4baOUpT3kj5THqCojBe0AHbf/T6MSdGloIJW6mC7 qWtmPx4tNCez =i+h6 -----END PGP SIGNATURE-----
--- End Message ---
