VulnerableCode Package Details - pkg:deb/debian/c-ares@1.18.1-3

Search for packages

Package details: pkg:deb/debian/c-ares@1.18.1-3

Essentials
History (43)

purl	pkg:deb/debian/c-ares@1.18.1-3

Next non-vulnerable version	1.34.5-1
Latest non-vulnerable version	1.34.5-1
Risk	3.0

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-jvyw-e7te-aaam Aliases: CVE-2023-31147 GHSA-8r8p-23f3-64c2	c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.	1.19.1-3 Affected by 0 other vulnerabilities. 1.20.1-1 Affected by 0 other vulnerabilities. 1.24.0-1 Affected by 0 other vulnerabilities. 1.27.0-1 Affected by 0 other vulnerabilities. 1.28.1-1 Affected by 0 other vulnerabilities. 1.33.1-1 Affected by 0 other vulnerabilities. 1.33.1-2 Affected by 0 other vulnerabilities. 1.34.2-1 Affected by 0 other vulnerabilities. 1.34.3-1 Affected by 0 other vulnerabilities. 1.34.4-2.1 Affected by 0 other vulnerabilities. 1.34.5-1 Affected by 0 other vulnerabilities.
VCID-nmcd-jnpw-aaaj Aliases: CVE-2024-25629	c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.	1.33.1-1 Affected by 0 other vulnerabilities. 1.33.1-2 Affected by 0 other vulnerabilities. 1.34.2-1 Affected by 0 other vulnerabilities. 1.34.3-1 Affected by 0 other vulnerabilities. 1.34.4-2.1 Affected by 0 other vulnerabilities. 1.34.5-1 Affected by 0 other vulnerabilities.
VCID-se1r-ejvf-aaar Aliases: CVE-2023-31124 GHSA-54xr-f67r-4pc4	c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.	1.19.1-3 Affected by 0 other vulnerabilities. 1.20.1-1 Affected by 0 other vulnerabilities. 1.24.0-1 Affected by 0 other vulnerabilities. 1.27.0-1 Affected by 0 other vulnerabilities. 1.28.1-1 Affected by 0 other vulnerabilities. 1.33.1-1 Affected by 0 other vulnerabilities. 1.33.1-2 Affected by 0 other vulnerabilities. 1.34.2-1 Affected by 0 other vulnerabilities. 1.34.3-1 Affected by 0 other vulnerabilities. 1.34.4-2.1 Affected by 0 other vulnerabilities. 1.34.5-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jvyw-e7te-aaam
Aliases:
CVE-2023-31147
GHSA-8r8p-23f3-64c2

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

1.19.1-3
Affected by 0 other vulnerabilities.

1.20.1-1
Affected by 0 other vulnerabilities.

1.24.0-1
Affected by 0 other vulnerabilities.

1.27.0-1
Affected by 0 other vulnerabilities.

1.28.1-1
Affected by 0 other vulnerabilities.

1.33.1-1
Affected by 0 other vulnerabilities.

1.33.1-2
Affected by 0 other vulnerabilities.

1.34.2-1
Affected by 0 other vulnerabilities.

1.34.3-1
Affected by 0 other vulnerabilities.

1.34.4-2.1
Affected by 0 other vulnerabilities.

1.34.5-1
Affected by 0 other vulnerabilities.

VCID-nmcd-jnpw-aaaj
Aliases:
CVE-2024-25629

c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.

1.33.1-1
Affected by 0 other vulnerabilities.

1.33.1-2
Affected by 0 other vulnerabilities.

1.34.2-1
Affected by 0 other vulnerabilities.

1.34.3-1
Affected by 0 other vulnerabilities.

1.34.4-2.1
Affected by 0 other vulnerabilities.

1.34.5-1
Affected by 0 other vulnerabilities.

VCID-se1r-ejvf-aaar
Aliases:
CVE-2023-31124
GHSA-54xr-f67r-4pc4

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.

1.19.1-3
Affected by 0 other vulnerabilities.

1.20.1-1
Affected by 0 other vulnerabilities.

1.24.0-1
Affected by 0 other vulnerabilities.

1.27.0-1
Affected by 0 other vulnerabilities.

1.28.1-1
Affected by 0 other vulnerabilities.

1.33.1-1
Affected by 0 other vulnerabilities.

1.33.1-2
Affected by 0 other vulnerabilities.

1.34.2-1
Affected by 0 other vulnerabilities.

1.34.3-1
Affected by 0 other vulnerabilities.

1.34.4-2.1
Affected by 0 other vulnerabilities.

1.34.5-1
Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-21T04:34:52.944454+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-21T01:14:37.431931+00:00	Debian Importer	Affected by	VCID-nmcd-jnpw-aaaj	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T23:54:19.112655+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T22:16:38.994888+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	36.1.3
2025-06-20T20:01:15.078171+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	36.1.3
2025-06-05T14:05:22.129001+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	36.1.0
2025-04-04T07:24:09.983781+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-04T03:58:31.735471+00:00	Debian Importer	Affected by	VCID-nmcd-jnpw-aaaj	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-04T02:35:50.222851+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-04T00:55:04.726539+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	36.0.0
2025-04-03T23:04:29.387242+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	36.0.0
2025-02-21T18:46:26.464856+00:00	Debian Importer	Affected by	VCID-nmcd-jnpw-aaaj	https://security-tracker.debian.org/tracker/data/json	35.1.0
2025-02-21T11:20:18.187287+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	35.1.0
2025-02-21T11:20:17.510797+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	35.1.0
2025-02-21T11:19:46.820766+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	35.1.0
2025-02-21T11:19:41.327621+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	35.1.0
2024-11-24T07:11:42.552123+00:00	Debian Importer	Affected by	VCID-nmcd-jnpw-aaaj	https://security-tracker.debian.org/tracker/data/json	35.0.0
2024-11-24T00:42:02.871580+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	35.0.0
2024-11-24T00:42:02.177881+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	35.0.0
2024-11-24T00:41:37.347273+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	35.0.0
2024-11-24T00:41:31.800727+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	35.0.0
2024-10-11T03:51:57.342792+00:00	Debian Importer	Affected by	VCID-nmcd-jnpw-aaaj	https://security-tracker.debian.org/tracker/data/json	34.0.2
2024-10-10T22:22:14.574090+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	34.0.2
2024-10-10T22:22:13.853804+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	34.0.2
2024-10-10T22:21:49.835029+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	34.0.2
2024-10-10T22:21:44.167443+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	34.0.2
2024-09-25T18:03:59.866960+00:00	Debian Importer	Affected by	VCID-nmcd-jnpw-aaaj	https://security-tracker.debian.org/tracker/data/json	34.0.1
2024-09-20T03:11:55.756800+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	34.0.1
2024-09-20T03:11:55.073362+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	34.0.1
2024-09-20T03:11:29.919796+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	34.0.1
2024-09-20T03:11:25.187032+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	34.0.1
2024-04-26T03:10:35.138397+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	34.0.0rc4
2024-04-26T03:10:34.277183+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	34.0.0rc4
2024-04-26T03:07:24.934442+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	34.0.0rc4
2024-04-26T03:07:22.438766+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	34.0.0rc4
2024-01-12T13:05:31.279206+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	34.0.0rc2
2024-01-12T13:05:26.118625+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	34.0.0rc2
2024-01-12T13:05:09.933007+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	34.0.0rc2
2024-01-12T13:05:09.056119+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	34.0.0rc2
2024-01-05T08:46:18.330102+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	https://security-tracker.debian.org/tracker/data/json	34.0.0rc1
2024-01-05T08:46:13.350048+00:00	Debian Importer	Affected by	VCID-jvyw-e7te-aaam	None	34.0.0rc1
2024-01-05T08:46:00.965533+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	https://security-tracker.debian.org/tracker/data/json	34.0.0rc1
2024-01-05T08:45:57.689817+00:00	Debian Importer	Affected by	VCID-se1r-ejvf-aaar	None	34.0.0rc1