Missing input validation of host names returned by Domain Name Servers in the c-ares library can lead to output of wrong hostnames (leading to Domain Hijacking).
Created c-ares tracking bugs for this issue: Affects: fedora-all [bug 1992221] Created mingw-c-ares tracking bugs for this issue: Affects: fedora-all [bug 1992222]
c-ares upstream advisory: https://c-ares.haxx.se/adv_20210810.html Patch linked form the above upstream advisory: https://github.com/c-ares/c-ares/compare/809d5e8..44c009b.patch
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3672
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666
Attack Complexity has been rated as high because an attacker would either need to have a legitimate DNS server under his control which have the malicious records with zero-bytes or trick the user into querying another rogue DNS server
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:2043 https://access.redhat.com/errata/RHSA-2022:2043