Security update for libcares2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1135-1 Final 1 1 2024-04-08T09:29:49Z current 2024-04-08T09:29:49Z 2024-04-08T09:29:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libcares2 This update for libcares2 fixes the following issues: - CVE-2024-25629: Fixed out of bounds read in ares__read_line() (bsc#1220279). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2024-1135,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2024-1135,SUSE-2024-1135,SUSE-SLE-SDK-12-SP5-2024-1135,SUSE-SLE-SERVER-12-SP5-2024-1135,SUSE-SLE-WE-12-SP5-2024-1135 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241135-1/ Link for SUSE-SU-2024:1135-1 https://lists.suse.com/pipermail/sle-updates/2024-April/034887.html E-Mail link for SUSE-SU-2024:1135-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1220279 SUSE Bug 1220279 https://www.suse.com/security/cve/CVE-2024-25629/ SUSE CVE CVE-2024-25629 page Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 SP5 libcares2-1.9.1-9.21.1 libcares-devel-1.9.1-9.21.1 libcares2-32bit-1.9.1-9.21.1 libcares2-64bit-1.9.1-9.21.1 libcares2-1.9.1-9.21.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production libcares2-1.9.1-9.21.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production libcares2-1.9.1-9.21.1 as a component of SUSE Linux Enterprise Server 12 SP5 libcares2-1.9.1-9.21.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libcares-devel-1.9.1-9.21.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libcares2-32bit-1.9.1-9.21.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist. CVE-2024-25629 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libcares2-1.9.1-9.21.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libcares2-1.9.1-9.21.1 SUSE Linux Enterprise Server 12 SP5:libcares2-1.9.1-9.21.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcares2-1.9.1-9.21.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libcares-devel-1.9.1-9.21.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libcares2-32bit-1.9.1-9.21.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241135-1/ https://www.suse.com/security/cve/CVE-2024-25629.html CVE-2024-25629 https://bugzilla.suse.com/1220279 SUSE Bug 1220279