CVE-2021-3672

NameCVE-2021-3672
DescriptionMissing input validation on hostnames returned by DNS servers
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2738-1, DSA-4954-1
Debian Bugs992053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)stretch1.12.0-1+deb9u1vulnerable
stretch (security)1.12.0-1+deb9u2fixed
buster1.14.0-1vulnerable
buster (security)1.14.0-1+deb10u1fixed
bullseye1.17.1-1vulnerable
bullseye (security)1.17.1-1+deb11u1fixed
bookworm, sid1.17.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourcestretch1.12.0-1+deb9u2DLA-2738-1
c-aressourcebuster1.14.0-1+deb10u1DSA-4954-1
c-aressourcebullseye1.17.1-1+deb11u1
c-aressource(unstable)1.17.1-1.1992053

Notes

https://c-ares.haxx.se/adv_20210810.html
https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14

Search for package or bug name: Reporting problems