On Thu, 29 Sep 2016, Gregor Jasny wrote:
Wheezy with c-ares 1.9.1 in not affected (stated in upstream announcement).
That isn't entirely accurate. This flaw is present in every c-ares release ever made until 1.12.0 unless you've done some changes not provided by upstream.
Before c-ares 1.10.0, the flaw is only present in the ares_mkquery() function which isn't identical to ares_create_query so the patch needs a little adjustment to apply there.
If you think I can clarify this better in the upstream advisory, please suggest a wording that would make it harder to misunderstand!
-- / daniel.haxx.se
