CVE-2021-3672

NameCVE-2021-3672
DescriptionA flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2738-1, DSA-4954-1
NVD severitymedium
Debian Bugs992053

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)stretch1.12.0-1+deb9u1vulnerable
stretch (security)1.12.0-1+deb9u2fixed
buster, buster (security)1.14.0-1+deb10u1fixed
bullseye (security), bullseye1.17.1-1+deb11u1fixed
bookworm, sid1.18.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourcestretch1.12.0-1+deb9u2DLA-2738-1
c-aressourcebuster1.14.0-1+deb10u1DSA-4954-1
c-aressourcebullseye1.17.1-1+deb11u1
c-aressource(unstable)1.17.1-1.1992053

Notes

https://c-ares.haxx.se/adv_20210810.html
https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14

Search for package or bug name: Reporting problems