[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: c-ares, CVE-2023-31147, CVE-2023-31124

Thank you all for your replies!

@Moritz, could you please create an issue with a
the possible proposal, how it should look like?

Best regards

Anton

Am Fr., 23. Juni 2023 um 20:49 Uhr schrieb Ola Lundqvist <ola@inguza.com>:
>
> Hi Anton, all
>
> Well even if there are some systems affected I must say that if
> someone have removed urandom the behavior described is expected. I
> mean /dev/urandom is there for a reason. And yes there are better
> functions than rand() but I can hardly see this as a vulnerability. Or
> well it is, but it is the kind of vulnerability when you remove the
> device that provide randomness in the system.
>
> I would have marked them as "minor issue".
>
> Cheers
>
> // Ola
>
>
> On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gladk@debian.org> wrote:
> >
> > Hi,
> >
> > two CVEs might be irrelevant for Debian systems. Can they be
> > tagged as "unaffected"? Or we have some systems, where
> > /dev/urandom is not existing?
> >
> > Thanks
> >
> > Anton
> >
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola@inguza.com                    opal@debian.org            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---------------------------------------------------------------
Reply to: