info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
c-ares, CVE-2023-31147, CVE-2023-31124
2 views
Skip to first unread message
Anton Gladky
Jun 23, 2023, 12:50:04 AM6/23/23
to
Hi,
two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?
Thanks
Anton
two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?
Thanks
Anton
Moritz Muehlenhoff
Jun 23, 2023, 4:30:04 AM6/23/23
to
CVE-2023-31124 (c-ares is an asynchronous resolver library. When cross-compiling c-are ...)
- c-ares <unfixed> (unimportant)
NOTE: No impact on binaries shipped by Debian
CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...) - c-ares <unfixed> (unimportant) NOTE: Any Debian system/port provides /dev/urandom
But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147
It would be nice if that "unimportant" issues it would instead display "non issue/no impact"
instead of "vulnerable.
Cheers,
Moritz
Ola Lundqvist
Jun 23, 2023, 3:10:03 PM6/23/23
to
Hi Anton, all
Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.
I would have marked them as "minor issue".
Cheers
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com op...@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.
I would have marked them as "minor issue".
Cheers
// Ola
--- Inguza Technology AB --- MSc in Information Technology ----
| o...@inguza.com op...@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Anton Gladky
Jun 23, 2023, 4:10:03 PM6/23/23
to
Thank you all for your replies!
@Moritz, could you please create an issue with a
the possible proposal, how it should look like?
Best regards
Anton
@Moritz, could you please create an issue with a
the possible proposal, how it should look like?
Best regards
Anton
Moritz Mühlenhoff
Jun 27, 2023, 2:50:04 PM6/27/23
to
Am Fri, Jun 23, 2023 at 09:59:45PM +0200 schrieb Anton Gladky:
> Thank you all for your replies!
>
> @Moritz, could you please create an issue with a
> the possible proposal, how it should look like?
Sure, filed as #1039606
> Thank you all for your replies!
>
> @Moritz, could you please create an issue with a
> the possible proposal, how it should look like?
Thanks,
Moritz
0 new messages