CVE-2023-32067

NameCVE-2023-32067
Descriptionc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3471-1, DSA-5419-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)buster1.14.0-1+deb10u1vulnerable
buster (security)1.14.0-1+deb10u4fixed
bullseye (security), bullseye1.17.1-1+deb11u3fixed
bookworm1.18.1-3fixed
sid, trixie1.27.0-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourceexperimental1.19.1-1
c-aressourcebuster1.14.0-1+deb10u3DLA-3471-1
c-aressourcebullseye1.17.1-1+deb11u3DSA-5419-1
c-aressource(unstable)1.18.1-3

Notes

https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc
https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae (cares-1_19_1)
Search for package or bug name: Reporting problems