[RELEASE] 1.34.6 (security)
Brad House
brad at brad-house.com
Mon Dec 8 17:35:58 CET 2025
## c-ares version 1.34.6 - December 8 2025
This is a security release.
Security:
* CVE-2025-62408. A use-after-free bug has been uncovered in read_answers() that
was introduced in v1.32.3. Please seehttps://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5
Changes:
* Ignore Windows IDN Search Domains until proper IDN support is added. [PR #1034](https://github.com/c-ares/c-ares/pull/1034)
Bugfixes:
* Event Thread could stall when not notified of new queries on existing
connections that are in a bad state
[PR #1032](https://github.com/c-ares/c-ares/pull/1032)
* fix conversion of invalid service to port number in ares_getaddrinfo()
[PR #1029](https://github.com/c-ares/c-ares/pull/1029)
* fix memory leak in ares_uri
[PR #1012](https://github.com/c-ares/c-ares/pull/1012)
* Ignore ares_event_configchg_init failures
[PR #1009](https://github.com/c-ares/c-ares/pull/1009)
* Use XOR for random seed generation on fallback logic.
[PR #994](https://github.com/c-ares/c-ares/pull/994)
* Fix clang build on windows.
[PR #996](https://github.com/c-ares/c-ares/pull/996)
* Fix IPv6 link-local nameservers in /etc/resolv.conf
[PR #996](https://github.com/c-ares/c-ares/pull/997)
* Fix a few build issues on MidnightBSD.
[PR #983](https://github.com/c-ares/c-ares/pull/983)
Thanks go to these friendly people for their efforts and contributions for this
release:
* Brad House (@bradh352)
* (@F3lixTheCat)
* Lucas Holt (@laffer1)
* @oargon
* Pavel P (@pps83)
* Sean Harmer (@seanharmer)
* Uwe (@nixblik)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.haxx.se/pipermail/c-ares/attachments/20251208/e0b17299/attachment.htm>
More information about the c-ares
mailing list