OESA-2023-1357

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1357
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1357.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1357
Upstream
Published
2023-06-17T11:05:24Z
Modified
2025-08-12T05:20:03.186647Z
Summary
c-ares security update
Details

Security Fix(es):

c-ares is an asynchronous resolver library. aresinetnetpton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via aressetsortlist(). However, users may externally use aresinetnetpton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130)

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / c-ares

Package

Name
c-ares
Purl
pkg:rpm/openEuler/c-ares&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.1-7.oe1

Ecosystem specific 

{
    "src": [
        "c-ares-1.16.1-7.oe1.src.rpm"
    ],
    "x86_64": [
        "c-ares-devel-1.16.1-7.oe1.x86_64.rpm",
        "c-ares-debuginfo-1.16.1-7.oe1.x86_64.rpm",
        "c-ares-1.16.1-7.oe1.x86_64.rpm",
        "c-ares-debugsource-1.16.1-7.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "c-ares-1.16.1-7.oe1.aarch64.rpm",
        "c-ares-debugsource-1.16.1-7.oe1.aarch64.rpm",
        "c-ares-debuginfo-1.16.1-7.oe1.aarch64.rpm",
        "c-ares-devel-1.16.1-7.oe1.aarch64.rpm"
    ],
    "noarch": [
        "c-ares-help-1.16.1-7.oe1.noarch.rpm"
    ]
}