--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-e59bcaf702
2020-07-01 01:34:56.095997
--------------------------------------------------------------------------------
Name : adns
Product : Fedora 31
Version : 1.6.0
Release : 1.fc31
URL :
http://www.chiark.greenend.org.uk/~ian/adns/
Summary : Advanced, easy to use, asynchronous-capable DNS client library
Description :
adns is a resolver library for C (and C++) programs. In contrast with
the existing interfaces, gethostbyname et al and libresolv, it has the
following features:
- It is reasonably easy to use for simple programs which just want to
translate names to addresses, look up MX records, etc.
- It can be used in an asynchronous, non-blocking, manner. Many
queries can be handled simultaneously.
- Responses are decoded automatically into a natural representation
for a C program - there is no need to deal with DNS packet formats.
- Sanity checking (eg, name syntax checking, reverse/forward
correspondence, CNAME pointing to CNAME) is performed automatically.
- Time-to-live, CNAME and other similar information is returned in an
easy-to-use form, without getting in the way.
- There is no global state in the library; resolver state is an opaque
data structure which the client creates explicitly. A program can have
several instances of the resolver.
- Errors are reported to the application in a way that distinguishes
the various causes of failure properly.
- Understands conventional resolv.conf, but this can overridden by
environment variables.
- Flexibility. For example, the application can tell adns to: ignore
environment variables (for setuid programs), disable sanity checks eg
to return arbitrary data, override or ignore resolv.conf in favour of
supplied configuration, etc.
- Believed to be correct ! For example, will correctly back off to TCP
in case of long replies or queries, or to other nameservers if several
are available. It has sensible handling of bad responses etc.
--------------------------------------------------------------------------------
Update Information:
New upstream release * Important security fixes: CVE-2017-9103
CVE-2017-9104 CVE-2017-9105 CVE-2017-9109: Vulnerable applications: all
adns callers. Exploitable by: the local recursive resolver.
Likely worst case: Remote code execution. CVE-2017-9106: Vulnerable
applications: those that make SOA queries. Exploitable by: upstream DNS
data sources. Likely worst case: DoS (crash of the adns-using
application) CVE-2017-9107: Vulnerable applications: those that use
adns_qf_quoteok_query. Exploitable by: sources of query domain names.
Likely worst case: DoS (crash of the adns-using application) CVE-2017-9108:
Vulnerable applications: adnshost. Exploitable by: code responsible for
framing the input. Likely worst case: DoS (adnshost crashes at EOF).
All found by AFL 2.35b. Thanks to the University of Cambridge Department of
Applied Mathematics for computing facilities.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jun 21 2020 S��rgio Basto <sergio(a)serjux.com> - 1.6.0-1
- Update adns to 1.6.0 (#1846479)
- Drop patch0, upstream fixed patch0 in another way
* Tue Feb 18 2020 Than Ngo <than(a)redhat.com> - 1.5.1-10
- Fixed FTBFS
* Tue Jan 28 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.5.1-9
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1849772 - CVE-2017-9105 adns: pointer corruption when a nameserver speaks
first because of a wrong number of pointer dereferences
https://bugzilla.redhat.com/show_bug.cgi?id=1849772
[ 2 ] Bug #1849775 - CVE-2017-9103 adns: pap_mailbox822 does not properly check st from
adns__findlabel_next
https://bugzilla.redhat.com/show_bug.cgi?id=1849775
[ 3 ] Bug #1849777 - CVE-2017-9104 adns: uncontrolled resource consumption when a
compression pointer loop is encountered
https://bugzilla.redhat.com/show_bug.cgi?id=1849777
[ 4 ] Bug #1849779 - CVE-2017-9109 adns: out-of-bounds access when handling apparent
answers
https://bugzilla.redhat.com/show_bug.cgi?id=1849779
[ 5 ] Bug #1849782 - CVE-2017-9106 adns: lack of check for out-of-range integers values
can lead to out-of-bounds access
https://bugzilla.redhat.com/show_bug.cgi?id=1849782
[ 6 ] Bug #1849784 - CVE-2017-9107 adns: out-of-bounds read when a domain ends with
backslash
https://bugzilla.redhat.com/show_bug.cgi?id=1849784
[ 7 ] Bug #1849787 - CVE-2017-9108 adns: improper handling of a missing final newline on
a stdin read
https://bugzilla.redhat.com/show_bug.cgi?id=1849787
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-e59bcaf702' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------