|
| 1 | +## c-ares version 1.34.7 - July 6 2026 |
| 2 | + |
| 3 | +This is a security release. |
| 4 | + |
| 5 | +Security: |
| 6 | +* CVE-2026-33630. Use-after-free / double-free in c-ares' query-completion |
| 7 | + handling, remotely triggerable via ares_getaddrinfo() over TCP. Please see |
| 8 | + https://github.com/c-ares/c-ares/security/advisories/GHSA-6wfj-rwm7-3542 |
| 9 | +* CPU-exhaustion denial of service via unbounded DNS name compression pointer |
| 10 | + chains. Please see |
| 11 | + https://github.com/c-ares/c-ares/security/advisories/GHSA-pjmc-gx33-gc76 |
| 12 | +* Memory-amplification denial of service via unvalidated DNS header record |
| 13 | + counts. Please see |
| 14 | + https://github.com/c-ares/c-ares/security/advisories/GHSA-jv8r-gqr9-68wj |
| 15 | + |
| 16 | +Changes: |
| 17 | +* `ares_getaddrinfo()`: handle a NULL node per POSIX and implement |
| 18 | + `ARES_AI_PASSIVE`. [PR #1186](https://github.com/c-ares/c-ares/pull/1186) |
| 19 | +* Mark parameters in callbacks as const. |
| 20 | + [PR #1060](https://github.com/c-ares/c-ares/pull/1060) |
| 21 | +* Correct `ARES_CLASS_HESOID` misspelling to `ARES_CLASS_HESIOD`. |
| 22 | + [PR #1092](https://github.com/c-ares/c-ares/pull/1092) |
| 23 | + |
| 24 | +Bugfixes: |
| 25 | +* Fix sticky server recovery when all servers have failures. [PR #1192](https://github.com/c-ares/c-ares/pull/1192) |
| 26 | +* Fix UDP socket exhaustion regression: retire connections per-connection, not via server failure count. [PR #1197](https://github.com/c-ares/c-ares/pull/1197) |
| 27 | +* Guard DNS record binary length overflow. [PR #1168](https://github.com/c-ares/c-ares/pull/1168) |
| 28 | +* Prevent integer overflow in allocation size calculations. [PR #1147](https://github.com/c-ares/c-ares/pull/1147) |
| 29 | +* Prevent overflow in ares_array allocation size calculations. [PR #1117](https://github.com/c-ares/c-ares/pull/1117) |
| 30 | +* Prevent integer overflow in buffer size calculation. [PR #1116](https://github.com/c-ares/c-ares/pull/1116) |
| 31 | +* Add overflow checks to ares_buf_ensure_space(). [PR #1094](https://github.com/c-ares/c-ares/pull/1094) |
| 32 | +* Skip name compression offsets beyond the 14-bit pointer limit. [PR #1159](https://github.com/c-ares/c-ares/pull/1159) |
| 33 | +* ares_dns_parse: reject name compression in RDATA where not permitted (RFC 3597). [PR #1190](https://github.com/c-ares/c-ares/pull/1190) |
| 34 | +* ares_dns_parse: reject responses with more than one OPT record (RFC 6891). [PR #1189](https://github.com/c-ares/c-ares/pull/1189) |
| 35 | +* Discard oversized UDP datagrams instead of truncating the length frame. [PR #1161](https://github.com/c-ares/c-ares/pull/1161) |
| 36 | +* Route numeric config parsing through range-checked ares_str_parse_uint. [PR #1158](https://github.com/c-ares/c-ares/pull/1158) |
| 37 | +* Replace atoi-based port parsing with validated helper. [PR #1097](https://github.com/c-ares/c-ares/pull/1097) |
| 38 | +* Defer TCP connection error handling until DNS responses are parsed. [PR #1138](https://github.com/c-ares/c-ares/pull/1138) |
| 39 | +* Prevent undefined-behavior left shift in ares_calc_query_timeout(). [PR #1151](https://github.com/c-ares/c-ares/pull/1151) |
| 40 | +* Use unsigned type for ares_round_up_pow2_u64 to avoid undefined behavior. [PR #1107](https://github.com/c-ares/c-ares/pull/1107) |
| 41 | +* Fix undefined behavior in ares_buf_replace() pointer arithmetic. [PR #1099](https://github.com/c-ares/c-ares/pull/1099) |
| 42 | +* ares_array: reset offset when array becomes empty. [PR #1165](https://github.com/c-ares/c-ares/pull/1165) |
| 43 | +* ares_iface_ips: add ARES_IFACE_IP_NONE zero enum value. [PR #1187](https://github.com/c-ares/c-ares/pull/1187) |
| 44 | +* ares_sysconfig_files: recognize AIX netsvc.conf bind4/local4 tokens. [PR #1188](https://github.com/c-ares/c-ares/pull/1188) |
| 45 | +* Use safe string construction in Windows sysconfig join path. [PR #1143](https://github.com/c-ares/c-ares/pull/1143) |
| 46 | +* Fix zero-length RAW_RR losing type metadata during parsing. [PR #1129](https://github.com/c-ares/c-ares/pull/1129) |
| 47 | +* Fix RAW_RR type tostr/fromstr roundtrip mismatch. [PR #1123](https://github.com/c-ares/c-ares/pull/1123) |
| 48 | +* Fix NULL dereference for ifa netmask. [PR #1120](https://github.com/c-ares/c-ares/pull/1120) |
| 49 | +* adig: fix negated option prefix parsing. [PR #1135](https://github.com/c-ares/c-ares/pull/1135) |
| 50 | +* Use UnregisterWaitEx to prevent use-after-free on Win32. [PR #1111](https://github.com/c-ares/c-ares/pull/1111) |
| 51 | +* Add NULL check after ares_malloc_zero in Windows UTF8 conversion. [PR #1121](https://github.com/c-ares/c-ares/pull/1121) |
| 52 | +* Fix NULL dereference after ares_malloc_zero in Win32 IOCP event add. [PR #1132](https://github.com/c-ares/c-ares/pull/1132) |
| 53 | +* Fix microsecond overflow in ares_queue_wait_empty timeout. [PR #1122](https://github.com/c-ares/c-ares/pull/1122) |
| 54 | +* Fix NULL dereference in ares_buf_replace() on NULL buf. [PR #1124](https://github.com/c-ares/c-ares/pull/1124) |
| 55 | +* Initialize *read_bytes in ares_socket_recvfrom(). [PR #1125](https://github.com/c-ares/c-ares/pull/1125) |
| 56 | +* Fix memory leak of binbuf in ares_buf_parse_dns_binstr_int. [PR #1126](https://github.com/c-ares/c-ares/pull/1126) |
| 57 | +* Fix memory leak of qcache entry on key allocation failure. [PR #1127](https://github.com/c-ares/c-ares/pull/1127) |
| 58 | +* Fix memory leak of buf in ares_dns_multistring_combined() on OOM. [PR #1110](https://github.com/c-ares/c-ares/pull/1110) |
| 59 | +* Fix memory leaks on error paths in two functions. [PR #1109](https://github.com/c-ares/c-ares/pull/1109) |
| 60 | +* Fix memory leak of buckets in ares_htable_dict_keys() error path. [PR #1108](https://github.com/c-ares/c-ares/pull/1108) |
| 61 | +* Fix memory leak of bucket->key in ares_htable_dict_insert error path. [PR #1105](https://github.com/c-ares/c-ares/pull/1105) |
| 62 | +* Fix additional memory leaks. [PR #1091](https://github.com/c-ares/c-ares/pull/1091) [PR #1078](https://github.com/c-ares/c-ares/pull/1078) |
| 63 | +* Prevent corrupt addrinfo nodes on sockaddr allocation failure. [PR #1112](https://github.com/c-ares/c-ares/pull/1112) |
| 64 | +* Fix two logic bugs in DNS cookie handling. [PR #1103](https://github.com/c-ares/c-ares/pull/1103) |
| 65 | +* Fix linked list INSERT_BEFORE corruption and array insertdata_first ordering. [PR #1101](https://github.com/c-ares/c-ares/pull/1101) |
| 66 | +* Fix HASH_IDX macro missing parentheses. [PR #1128](https://github.com/c-ares/c-ares/pull/1128) |
| 67 | +* Fix malloc(0) in ares_htable_all_buckets on empty table. [PR #1131](https://github.com/c-ares/c-ares/pull/1131) |
| 68 | +* Fix wrong sizeof in QNX confstr() call truncating domain names. [PR #1130](https://github.com/c-ares/c-ares/pull/1130) |
| 69 | +* Clear probe pending flag after timeout. [PR #1059](https://github.com/c-ares/c-ares/pull/1059) |
| 70 | +* Fix incorrect check for empty wide string. [PR #1064](https://github.com/c-ares/c-ares/pull/1064) |
| 71 | +* Handle strdup failure. [PR #1077](https://github.com/c-ares/c-ares/pull/1077) |
| 72 | +* doc: reference ares_free_string(), not ares_free(). [PR #1084](https://github.com/c-ares/c-ares/pull/1084) |
| 73 | + |
| 74 | +Thanks go to these friendly people for their efforts and contributions for this |
| 75 | +release: |
| 76 | + |
| 77 | +* (@Alb3e3) |
| 78 | +* Brad House (@bradh352) |
| 79 | +* (@dankmeme01) |
| 80 | +* David Hotham (@dimbleby) |
| 81 | +* Tom Flynn (@Flynnzaa) |
| 82 | +* (@jmestwa-coder) |
| 83 | +* (@kodareef5) |
| 84 | +* Kaixuan Li (@MarkLee131) |
| 85 | +* (@lifenjoiner) |
| 86 | +* (@metsw24-max) |
| 87 | +* Song Li (@SongTonyLi) |
| 88 | +* (@uwezkhan) |
| 89 | + |
| 90 | + |
1 | 91 | ## c-ares version 1.34.6 - December 8 2025 |
2 | 92 |
|
3 | 93 | This is a security release. |
|
0 commit comments