FSA/F7/FEDORA-2007-0724

[SECURITY] Fedora 7 Update: c-ares-1.4.0-1.fc7
Fedora Update Notification FEDORA-2007-0724 2007-06-27 18:52:48.812824

Name       : c-ares Product    : Fedora 7 Version    : 1.4.0 Release    : 1.fc7 Summary    : A library that performs asynchronous DNS operations Description : c-ares is a C library that performs DNS requests and name resolves asynchronously. c-ares is a fork of the library named 'ares', written by Greg Hudson at MIT.

Update Information:

There is a vulnerability in c-ares < 1.4.0, caused by predictable DNS "Transaction ID" field in DNS queries and can be exploited to poison the DNS cache of an application using the library if a valid ID is guessed.

http://www.vuxml.org/freebsd/70ae62b0-16b0-11dc-b803-0016179b2dd5.html

ChangeLog:

- bump to 1.4.0 (resolves bugzilla 243591) - get rid of static library (.a)
 * Wed Jun 27 2007 Tom "spot" Callaway  1.4.0-1

References:

[ 1 ] Bug #243591 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243591 [ 2 ] CVE-2007-3152 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3152 [ 3 ] CVE-2007-3153 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3153

Updated packages:

29ed7108b5a0242460e8bc93c233044ef623271e c-ares-debuginfo-1.4.0-1.fc7.ppc64.rpm 0f04a638e762c369e1f7eac1cccb48a3d87a76b0 c-ares-devel-1.4.0-1.fc7.ppc64.rpm b1084ac22aebcb635a1bde10fd909115dddca8be c-ares-1.4.0-1.fc7.ppc64.rpm ec0827e85c2d436cf097a25b3aa297dcdc30ee45 c-ares-1.4.0-1.fc7.i386.rpm 8a3c5279f2ef72c417a52b1bc16904f147bc15c5 c-ares-devel-1.4.0-1.fc7.i386.rpm 377f6f417349c797c75d2f511245c13632fcc353 c-ares-debuginfo-1.4.0-1.fc7.i386.rpm f75fef3876ed6ccd8ed663cd1fc87326e3cd8cef c-ares-1.4.0-1.fc7.x86_64.rpm e4b06da02a547e248d13278e2f221be28bb8442b c-ares-debuginfo-1.4.0-1.fc7.x86_64.rpm fe09780d4b02829aa100c7efec0664d434924190 c-ares-devel-1.4.0-1.fc7.x86_64.rpm e79d2ddef1b78307b055f76ce7589ff1531c3db6 c-ares-1.4.0-1.fc7.ppc.rpm a8162a44727d0696b75088d1093e4d5329c73577 c-ares-devel-1.4.0-1.fc7.ppc.rpm 9812fa7632651f070e2c3e0fae94ad4b67ab4fc7 c-ares-debuginfo-1.4.0-1.fc7.ppc.rpm 5ee5d1abd05992d6349c0ca61e5144a9f1a8e597 c-ares-1.4.0-1.fc7.src.rpm

This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://docs.fedoraproject.org/yum/.