Candidate: CVE-2020-14354
PublicDate: 2021-05-13 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14354
 https://bugzilla.redhat.com/show_bug.cgi?id=1866838
Description:
 A possible use-after-free and double-free in c-ares lib version 1.16.0 if
 ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw
 possibly allows an attacker to crash the service that uses c-ares lib. The
 highest threat from this vulnerability is to this service availability.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L [3.3 LOW]


Patches_c-ares:
upstream_c-ares: released (1.16.1-1)
precise/esm_c-ares: DNE
trusty_c-ares: ignored (out of standard support)
trusty/esm_c-ares: DNE
xenial_c-ares: not-affected (code not present)
esm-infra/xenial_c-ares: not-affected (code not present)
bionic_c-ares: not-affected (code not present)
focal_c-ares: not-affected (code not present)
devel_c-ares: not-affected (1.16.1-1)