According with c-ares project there is an open CVE-2024-25629 who affect versions of c-ares before 1.27.0. Reading a malformed /etc/resolv.conf, /etc/nsswitch.conf or HOSTALIASES can crash the process. The severity level is considered as moderate.
Created attachment 248697 [details] update to 1.27.0 plus minor changes dns/c-ares: update to 1.27.0 Changelog: https://c-ares.org/changelog.html Minor port change to make linters happy Security: CVE-2024-25629
Approved.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c096345ca5a678101030fd373211c8ced5c644be commit c096345ca5a678101030fd373211c8ced5c644be Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2024-02-23 22:04:51 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2024-02-23 22:51:42 +0000 dns/c-ares: upgrade to 1.27.0 Changelog: https://c-ares.org/changelog.html PR: 277261 Approved by: zi (maintainer) Security: CVE-2024-25629 dns/c-ares/Makefile | 7 +++---- dns/c-ares/distinfo | 6 +++--- dns/c-ares/pkg-plist | 2 +- 3 files changed, 7 insertions(+), 8 deletions(-)
committed, thanks