Bug 39303 - Версия c-ares 1.17.0 исправляет CVE-2020-8277
Summary: Версия c-ares 1.17.0 исправляет CVE-2020-8277
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: libcares (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P5 normal
Assignee: Anton Farygin
QA Contact: qa-sisyphus
URL: https://github.com/c-ares/c-ares/issu...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-16 23:39 MSK by Vitaly Lipatov
Modified: 2020-11-17 17:01 MSK (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vitaly Lipatov 2020-11-16 23:39:25 MSK 
Версия c-ares 1.17.0 исправляет CVE-2020-8277.

https://github.com/c-ares/c-ares/issues/371

security release node 14.15.1 от 2020-11-16 заключается только в патче для c-ares, исправляющем
CVE-2020-8277: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses.
Comment 1 Anton Farygin 2020-11-17 16:54:53 MSK 
Сборка 1.17.0 разломана апстримом, они чинят.
Comment 2 Anton Farygin 2020-11-17 17:01:15 MSK 
ну а пока они чинят я приложил апстримный патч к 1.16.1 в 1.16.1-alt2