CVE-2023-32067

NameCVE-2023-32067
Descriptionc-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3471-1, DSA-5419-1, ELA-883-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)jessie, jessie (lts)1.10.0-2+deb8u7fixed
stretch (security)1.12.0-1+deb9u2vulnerable
stretch (lts), stretch1.12.0-1+deb9u6fixed
buster (security), buster, buster (lts)1.14.0-1+deb10u4fixed
bullseye (security), bullseye1.17.1-1+deb11u3fixed
bookworm1.18.1-3fixed
sid, trixie1.34.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourceexperimental1.19.1-1
c-aressourcejessie1.10.0-2+deb8u5ELA-883-1
c-aressourcestretch1.12.0-1+deb9u4ELA-883-1
c-aressourcebuster1.14.0-1+deb10u3DLA-3471-1
c-aressourcebullseye1.17.1-1+deb11u3DSA-5419-1
c-aressource(unstable)1.18.1-3

Notes

https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc
https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae (cares-1_19_1)

Search for package or bug name: Reporting problems