Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deps: Upgrade c-ares to >= 1.12.0 (CVE-2016-5180) #12532

Closed
Dominik-K opened this issue Apr 20, 2017 · 1 comment
Closed

Deps: Upgrade c-ares to >= 1.12.0 (CVE-2016-5180) #12532

Dominik-K opened this issue Apr 20, 2017 · 1 comment
Labels
cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. security Issues and PRs related to security.

Comments

@Dominik-K
Copy link

c-ares has a vulnerability in ares_create_query or ares_mkquery. I don't know if this affects Node.js itself. However, it's shown as a vulnerability in the node Docker image. E.g. the only one in the alpine image. 👍 Keep up the good work.
@bnoordhuis
Copy link
Member

We cherry-picked the fix into our fork of c-ares in #8849 and that was released in v4.6.1 and v6.8.0; v7.x was never affected. Thanks for the report, though.

cc'ing @nodejs/docker just in case.

@bnoordhuis bnoordhuis added cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. security Issues and PRs related to security. labels Apr 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cares Issues and PRs related to the c-ares dependency or the cares_wrap binding. security Issues and PRs related to security.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnoordhuis @Dominik-K