From 6be5219c4122e7844f842205f343f9006a2146ab Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Sat, 28 Aug 2021 17:06:02 +0200 Subject: [PATCH] package/c-ares: security bump to version 1.17.2 - NodeJS passes NULL for addr and 0 for addrlen to ares_parse_ptr_reply() on systems where malloc(0) returns NULL. This would cause a crash. - If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause a crash - Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response - Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing follow-up - Perform validation on hostnames to prevent possible XSS due to applications not performing valiation themselves https://c-ares.haxx.se/changelog.html#1_17_2 Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN --- package/c-ares/c-ares.hash | 2 +- package/c-ares/c-ares.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/c-ares/c-ares.hash b/package/c-ares/c-ares.hash index 235b7dbc66..28657645df 100644 --- a/package/c-ares/c-ares.hash +++ b/package/c-ares/c-ares.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -sha256 d73dd0f6de824afd407ce10750ea081af47eba52b8a6cb307d220131ad93fc40 c-ares-1.17.1.tar.gz +sha256 4803c844ce20ce510ef0eb83f8ea41fa24ecaae9d280c468c582d2bb25b3913d c-ares-1.17.2.tar.gz # Hash for license file sha256 db4eb63fe09daebdf57d3f79b091bb5ee5070c0d761040e83264e648d307af4c LICENSE.md diff --git a/package/c-ares/c-ares.mk b/package/c-ares/c-ares.mk index 8f200237cf..3a7c6e0298 100644 --- a/package/c-ares/c-ares.mk +++ b/package/c-ares/c-ares.mk @@ -4,7 +4,7 @@ # ################################################################################ -C_ARES_VERSION = 1.17.1 +C_ARES_VERSION = 1.17.2 C_ARES_SITE = http://c-ares.haxx.se/download C_ARES_INSTALL_STAGING = YES C_ARES_CONF_OPTS = --with-random=/dev/urandom -- 2.30.2