[ubuntu/oracular-security] c-ares 1.33.0-1ubuntu0.1 (Accepted)

[Marc Deslauriers]

c-ares (1.33.0-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Use after free() in read_answers()
    - debian/patches/CVE-2025-31498-pre1.patch: ares_getaddrinfo() for
      AF_UNSPEC should retry if ipv6 received in
      src/lib/ares_getaddrinfo.c, test/ares-test-mock-ai.cc.
    - debian/patches/CVE-2025-31498-1.patch: queue queries to be resent in
      src/lib/ares_close_sockets.c, src/lib/ares_cookie.c,
      src/lib/ares_private.h, src/lib/ares_process.c,
      src/lib/dsa/ares__array.c, src/lib/dsa/ares__array.h,
      test/ares-test-mock-ai.cc, test/ares-test-mock.cc, test/ares-test.cc,
      test/ares-test.h.
    - debian/patches/CVE-2025-31498-2.patch: windows build fix in
      test/ares-test.cc.
    - debian/patches/CVE-2025-31498-3.patch: remove unused vars in
      src/lib/ares_process.c.
    - debian/patches/CVE-2025-31498-4.patch: windows build fix in
      test/ares-test.cc.
    - debian/patches/CVE-2025-31498-5.patch: variable set but never read in
      src/lib/ares_process.c.
    - debian/patches/CVE-2025-31498-6.patch: build fix in
      test/ares-test.cc, test/ares-test.h.
    - debian/libcares2.symbols: added new symbol.
    - CVE-2025-31498

Date: 2025-04-09 18:24:13.969675+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/c-ares/1.33.0-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.