They are already marked as non-issues:
CVE-2023-31124 (c-ares is an asynchronous resolver library. When cross-compiling c-are ...)
- c-ares <unfixed> (unimportant)
NOTE: No impact on binaries shipped by Debian
CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...) - c-ares <unfixed> (unimportant) NOTE: Any Debian system/port provides /dev/urandom
But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147
It would be nice if that "unimportant" issues it would instead display "non issue/no impact"
instead of "vulnerable.
Cheers,
Moritz