Re: c-ares, CVE-2023-31147, CVE-2023-31124
Hi Anton, all
Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.
I would have marked them as "minor issue".
Cheers
// Ola
On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gladk@debian.org> wrote:
>
> Hi,
>
> two CVEs might be irrelevant for Debian systems. Can they be
> tagged as "unaffected"? Or we have some systems, where
> /dev/urandom is not existing?
>
> Thanks
>
> Anton
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: