{
  "threat_severity" : "Moderate",
  "public_date" : "2016-09-29T00:00:00Z",
  "bugzilla" : {
    "description" : "c-ares: Single byte out of buffer write",
    "id" : "1380463",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1380463"
  },
  "cvss" : {
    "cvss_base_score" : "5.0",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-193->CWE-122",
  "details" : [ "Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.", "A vulnerability was found in c-ares. A hostname with an escaped trailing dot (such as \"hello\\.\") would have its size calculated incorrectly, leading to a single byte written beyond the end of a buffer on the heap. An attacker able to provide such a hostname to an application using c-ares, could potentially cause that application to crash." ],
  "statement" : "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "affected_release" : [ {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-http-parser-0:2.7.0-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-01-02T00:00:00Z",
    "advisory" : "RHSA-2017:0002",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-nodejs4-nodejs-0:4.6.2-4.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "c-ares",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "c-ares",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "c-ares",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools",
    "fix_state" : "Under investigation",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:openstack-optools:7"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Not affected",
    "package_name" : "nodejs010-nodejs",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/a:redhat:openshift:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs010-c-ares",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs010-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs6-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs8-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5180\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5180\nhttps://c-ares.haxx.se/adv_20160929.html" ],
  "name" : "CVE-2016-5180",
  "csaw" : false
}