Описание
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 7 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 8 | c-ares | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:4034 | 12.07.2023 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:4035 | 12.07.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | nodejs | Fixed | RHSA-2023:4033 | 12.07.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:3577 | 14.06.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:3586 | 14.06.2023 |
| Red Hat Enterprise Linux 9 | c-ares | Fixed | RHSA-2023:6635 | 07.11.2023 |
| Red Hat Enterprise Linux 9 | c-ares | Fixed | RHSA-2023:6635 | 07.11.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
c-ares is an asynchronous resolver library. When cross-compiling c-are ...
Уязвимость компонента autotools CARES_RANDOM_FILE библиотеки асинхронных DNS-запросов C-ares, позволяющая нарушителю оказать воздействие на целостность защищаемой информации
EPSS
3.7 Low
CVSS3