Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/c-ares@1.19.1-2?distro=trixie
purl pkg:deb/debian/c-ares@1.19.1-2?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-3nsu-sz9r-pkbf Use of Insufficiently Random Values c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. CVE-2023-31124
GHSA-54xr-f67r-4pc4
VCID-h5yg-sx9b-ska5 Use of Insufficiently Random Values c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. CVE-2023-31147
GHSA-8r8p-23f3-64c2

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-03T07:20:07.143619+00:00 Debian Importer Fixing VCID-h5yg-sx9b-ska5 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:20:07.105686+00:00 Debian Importer Fixing VCID-3nsu-sz9r-pkbf https://security-tracker.debian.org/tracker/data/json 38.1.0