C-Ares version update for buffer overflow vulnerability fix? #11728

Mickael-van-der-Beek · 2017-03-07T11:46:59Z

I was wondering if there were any plans for Node.js to update the C-Ares version from 1.10.0 to 1.12.0 so as to take into account the fix for the buffer overflow vulnerability (CVE-2016-5180)?

CVE-2016-5180: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5180
C-Ares Advisory: https://c-ares.haxx.se/adv_20160929.html
C-Ares Patch: https://c-ares.haxx.se/CVE-2016-5180.patch

addaleax · 2017-03-07T11:50:56Z

I think this particular problem was addressed by 68c4c71 (#8849)?

Mickael-van-der-Beek · 2017-03-07T13:10:42Z

@addaleax My bad I was looking at the version and not at the patch indeed. Thank you for the fast answer!

addaleax added cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. question Issues that look for answers. security Issues and PRs related to security. labels Mar 7, 2017

Mickael-van-der-Beek closed this as completed Mar 7, 2017

westy92 mentioned this issue Mar 15, 2017

Node official images vulnerabilities docker-library/official-images#2740

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

C-Ares version update for buffer overflow vulnerability fix? #11728

C-Ares version update for buffer overflow vulnerability fix? #11728

Mickael-van-der-Beek commented Mar 7, 2017

addaleax commented Mar 7, 2017

Mickael-van-der-Beek commented Mar 7, 2017

C-Ares version update for buffer overflow vulnerability fix? #11728

C-Ares version update for buffer overflow vulnerability fix? #11728

Comments

Mickael-van-der-Beek commented Mar 7, 2017

addaleax commented Mar 7, 2017

Mickael-van-der-Beek commented Mar 7, 2017