Описание
Security update for libcares2
This update for libcares2 fixes the following issues:
- CVE-2023-32067: Fixed a denial of service that could be triggered by a 0-byte UDP payload (bsc#1211604).
- CVE-2023-31147: Fixed an insufficient randomness in generation of DNS query IDs (bsc#1211605).
- CVE-2023-31130: Fixed a buffer underflow when configuring specific IPv6 addresses (bsc#1211606).
- CVE-2023-31124: Fixed a build issue when cross-compiling that could lead to insufficient randomness (bsc#1211607).
Список пакетов
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise Server 12 SP2-BCL
SUSE Linux Enterprise Server 12 SP4-ESPOS
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Linux Enterprise Software Development Kit 12 SP5
SUSE Linux Enterprise Workstation Extension 12 SP5
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
Ссылки
- Link for SUSE-SU-2023:2477-1
- E-Mail link for SUSE-SU-2023:2477-1
- SUSE Security Ratings
- SUSE Bug 1211604
- SUSE Bug 1211605
- SUSE Bug 1211606
- SUSE Bug 1211607
- SUSE CVE CVE-2023-31124 page
- SUSE CVE CVE-2023-31130 page
- SUSE CVE CVE-2023-31147 page
- SUSE CVE CVE-2023-32067 page
Описание
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
Затронутые продукты
Ссылки
- CVE-2023-31124
- SUSE Bug 1211607
Описание
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
Затронутые продукты
Ссылки
- CVE-2023-31130
- SUSE Bug 1211606
Описание
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
Затронутые продукты
Ссылки
- CVE-2023-31147
- SUSE Bug 1211605
Описание
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
Затронутые продукты
Ссылки
- CVE-2023-32067
- SUSE Bug 1211604