Source: c-ares Version: 1.17.1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.14.0-1 Control: fixed -1 1.14.0-1+deb10u1 Control: fixed -1 1.17.1-1+deb11u1
Hi, The following vulnerability was published for c-ares. CVE-2021-3672[0]: | Missing input validation on hostnames returned by DNS servers Respective bullseye-security and buster-security updates are preapred and as well a NMU for unstable. Will attach the debdiff shortly. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3672 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672 [1] https://c-ares.haxx.se/adv_20210810.html [2] https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 [3] https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 Regards, Salvatore