c-ares/RELEASE-NOTES

c-ares version 1.19.1

This is a security and bugfix release.

A special thanks goes out to the Open Source Technology Improvement Fund
(https://ostif.org) for sponsoring a security audit of c-ares performed by X41
(https://x41-dsec.de).

Security:
 o CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service [12]
 o CVE-2023-31147. Moderate. Insufficient randomness in generation of DNS
   query IDs [13]
 o CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() [14]
 o CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross
   compilation [15]

Bug fixes:
 o Fix uninitialized memory warning in test [1]
 o Turn off IPV6_V6ONLY on Windows to allow IPv4-mapped IPv6 addresses [2]
 o ares_getaddrinfo() should allow a port of 0 [3]
 o Fix memory leak in ares_send() on error [4]
 o Fix comment style in ares_data.h [5]
 o Remove unneeded ifdef for Windows [6]
 o Fix typo in ares_init_options.3 [7]
 o Re-add support for Watcom compiler [8]
 o Sync ax_pthread.m4 with upstream [9]
 o Windows: Invalid stack variable used out of scope for HOSTS path [10]
 o Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support [11]

Thanks go to these friendly people for their efforts and contributions:
  Brad House (@bradh352)
  @Chilledheart
  Daniel Stenberg (@bagder)
  Douglas R. Reno (@renodr)
  Gregor Jasny (@gjasny)
  Jay Freeman (@saurik)
  @lifenjoiner
  Nikolaos Chatzikonstantinou (@createyourpersonalaccount)
  Yijie Ma (@yijiem)
(9 contributors)

References to bug reports and discussions on issues:
 [1] = https://github.com/c-ares/c-ares/pull/515
 [2] = https://github.com/c-ares/c-ares/pull/520
 [3] = https://github.com/c-ares/c-ares/issues/517
 [4] = https://github.com/c-ares/c-ares/pull/511
 [5] = https://github.com/c-ares/c-ares/pull/513
 [6] = https://github.com/c-ares/c-ares/pull/512
 [7] = https://github.com/c-ares/c-ares/pull/510
 [8] = https://github.com/c-ares/c-ares/pull/509
 [9] = https://github.com/c-ares/c-ares/pull/507
 [10] = https://github.com/c-ares/c-ares/pull/502
 [11] = https://github.com/c-ares/c-ares/pull/505
 [12] = https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc
 [13] = https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2
 [14] = https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
 [15] = https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4
add public release note information 2 years ago			`c-ares version 1.19.1`
note about 1.17.1 4 years ago
security release notes 2 years ago			`This is a security and bugfix release.`

			`A special thanks goes out to the Open Source Technology Improvement Fund`
			`(https://ostif.org) for sponsoring a security audit of c-ares performed by X41`
			`(https://x41-dsec.de).`
Avoid buffer overflow in RC4 loop comparison (#336) The rc4 function iterates over a buffer of size buffer_len who's maximum value is INT_MAX with a counter of type short that is not guaranteed to have maximum size INT_MAX. In circumstances where short is narrower than int and where buffer_len is larger than the maximum value of a short, it may be possible to loop infinitely as counter will overflow and never be greater than or equal to buffer_len. The solution is to make the comparison be between types of equal width. This commit defines counter as an int. Fix By: Fionn Fitzmaurice (@fionn) 5 years ago
Prep for 1.19.0 release 2 years ago			`Security:`
security release notes 2 years ago			`o CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service [12]`
			`o CVE-2023-31147. Moderate. Insufficient randomness in generation of DNS`
			`query IDs [13]`
			`o CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() [14]`
			`o CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross`
			`compilation [15]`
Avoid buffer overflow in RC4 loop comparison (#336) The rc4 function iterates over a buffer of size buffer_len who's maximum value is INT_MAX with a counter of type short that is not guaranteed to have maximum size INT_MAX. In circumstances where short is narrower than int and where buffer_len is larger than the maximum value of a short, it may be possible to loop infinitely as counter will overflow and never be greater than or equal to buffer_len. The solution is to make the comparison be between types of equal width. This commit defines counter as an int. Fix By: Fionn Fitzmaurice (@fionn) 5 years ago
			`Bug fixes:`
add public release note information 2 years ago			`o Fix uninitialized memory warning in test [1]`
			`o Turn off IPV6_V6ONLY on Windows to allow IPv4-mapped IPv6 addresses [2]`
			`o ares_getaddrinfo() should allow a port of 0 [3]`
			`o Fix memory leak in ares_send() on error [4]`
			`o Fix comment style in ares_data.h [5]`
			`o Remove unneeded ifdef for Windows [6]`
			`o Fix typo in ares_init_options.3 [7]`
			`o Re-add support for Watcom compiler [8]`
			`o Sync ax_pthread.m4 with upstream [9]`
			`o Windows: Invalid stack variable used out of scope for HOSTS path [10]`
			`o Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support [11]`
Avoid buffer overflow in RC4 loop comparison (#336) The rc4 function iterates over a buffer of size buffer_len who's maximum value is INT_MAX with a counter of type short that is not guaranteed to have maximum size INT_MAX. In circumstances where short is narrower than int and where buffer_len is larger than the maximum value of a short, it may be possible to loop infinitely as counter will overflow and never be greater than or equal to buffer_len. The solution is to make the comparison be between types of equal width. This commit defines counter as an int. Fix By: Fionn Fitzmaurice (@fionn) 5 years ago
			`Thanks go to these friendly people for their efforts and contributions:`
1.17.0 release prep 4 years ago			`Brad House (@bradh352)`
add public release note information 2 years ago			`@Chilledheart`
1.17.0 release prep 4 years ago			`Daniel Stenberg (@bagder)`
add public release note information 2 years ago			`Douglas R. Reno (@renodr)`
			`Gregor Jasny (@gjasny)`
			`Jay Freeman (@saurik)`
Prep for 1.19.0 release 2 years ago			`@lifenjoiner`
			`Nikolaos Chatzikonstantinou (@createyourpersonalaccount)`
add public release note information 2 years ago			`Yijie Ma (@yijiem)`
			`(9 contributors)`
Avoid buffer overflow in RC4 loop comparison (#336) The rc4 function iterates over a buffer of size buffer_len who's maximum value is INT_MAX with a counter of type short that is not guaranteed to have maximum size INT_MAX. In circumstances where short is narrower than int and where buffer_len is larger than the maximum value of a short, it may be possible to loop infinitely as counter will overflow and never be greater than or equal to buffer_len. The solution is to make the comparison be between types of equal width. This commit defines counter as an int. Fix By: Fionn Fitzmaurice (@fionn) 5 years ago
			`References to bug reports and discussions on issues:`
add public release note information 2 years ago			`[1] = https://github.com/c-ares/c-ares/pull/515`
			`[2] = https://github.com/c-ares/c-ares/pull/520`
			`[3] = https://github.com/c-ares/c-ares/issues/517`
			`[4] = https://github.com/c-ares/c-ares/pull/511`
			`[5] = https://github.com/c-ares/c-ares/pull/513`
			`[6] = https://github.com/c-ares/c-ares/pull/512`
			`[7] = https://github.com/c-ares/c-ares/pull/510`
			`[8] = https://github.com/c-ares/c-ares/pull/509`
			`[9] = https://github.com/c-ares/c-ares/pull/507`
			`[10] = https://github.com/c-ares/c-ares/pull/502`
			`[11] = https://github.com/c-ares/c-ares/pull/505`
update security advisory links 2 years ago			`[12] = https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc`
			`[13] = https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2`
			`[14] = https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v`
			`[15] = https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4`