Security update for libcares2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2477-1 Final 1 1 2023-06-09T10:43:56Z current 2023-06-09T10:43:56Z 2023-06-09T10:43:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libcares2 This update for libcares2 fixes the following issues: - CVE-2023-32067: Fixed a denial of service that could be triggered by a 0-byte UDP payload (bsc#1211604). - CVE-2023-31147: Fixed an insufficient randomness in generation of DNS query IDs (bsc#1211605). - CVE-2023-31130: Fixed a buffer underflow when configuring specific IPv6 addresses (bsc#1211606). - CVE-2023-31124: Fixed a build issue when cross-compiling that could lead to insufficient randomness (bsc#1211607). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2023-2477,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2023-2477,SUSE-2023-2477,SUSE-OpenStack-Cloud-9-2023-2477,SUSE-OpenStack-Cloud-Crowbar-9-2023-2477,SUSE-SLE-SAP-12-SP4-2023-2477,SUSE-SLE-SDK-12-SP5-2023-2477,SUSE-SLE-SERVER-12-SP2-BCL-2023-2477,SUSE-SLE-SERVER-12-SP4-ESPOS-2023-2477,SUSE-SLE-SERVER-12-SP4-LTSS-2023-2477,SUSE-SLE-SERVER-12-SP5-2023-2477,SUSE-SLE-WE-12-SP5-2023-2477 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232477-1/ Link for SUSE-SU-2023:2477-1 https://lists.suse.com/pipermail/sle-security-updates/2023-June/015133.html E-Mail link for SUSE-SU-2023:2477-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1211604 SUSE Bug 1211604 https://bugzilla.suse.com/1211605 SUSE Bug 1211605 https://bugzilla.suse.com/1211606 SUSE Bug 1211606 https://bugzilla.suse.com/1211607 SUSE Bug 1211607 https://www.suse.com/security/cve/CVE-2023-31124/ SUSE CVE CVE-2023-31124 page https://www.suse.com/security/cve/CVE-2023-31130/ SUSE CVE CVE-2023-31130 page https://www.suse.com/security/cve/CVE-2023-31147/ SUSE CVE CVE-2023-31147 page https://www.suse.com/security/cve/CVE-2023-32067/ SUSE CVE CVE-2023-32067 page Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 libcares2-1.9.1-9.12.1 libcares-devel-1.9.1-9.12.1 libcares2-32bit-1.9.1-9.12.1 libcares2-64bit-1.9.1-9.12.1 libcares2-1.9.1-9.12.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production libcares2-1.9.1-9.12.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production libcares2-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libcares2-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS libcares2-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libcares2-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Server 12 SP5 libcares2-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libcares2-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libcares-devel-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libcares2-32bit-1.9.1-9.12.1 as a component of SUSE Linux Enterprise Workstation Extension 12 SP5 libcares2-1.9.1-9.12.1 as a component of SUSE OpenStack Cloud 9 libcares2-1.9.1-9.12.1 as a component of SUSE OpenStack Cloud Crowbar 9 c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. CVE-2023-31124 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libcares2-1.9.1-9.12.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libcares-devel-1.9.1-9.12.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libcares2-32bit-1.9.1-9.12.1 SUSE OpenStack Cloud 9:libcares2-1.9.1-9.12.1 SUSE OpenStack Cloud Crowbar 9:libcares2-1.9.1-9.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232477-1/ https://www.suse.com/security/cve/CVE-2023-31124.html CVE-2023-31124 https://bugzilla.suse.com/1211607 SUSE Bug 1211607 c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. CVE-2023-31130 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libcares2-1.9.1-9.12.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libcares-devel-1.9.1-9.12.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libcares2-32bit-1.9.1-9.12.1 SUSE OpenStack Cloud 9:libcares2-1.9.1-9.12.1 SUSE OpenStack Cloud Crowbar 9:libcares2-1.9.1-9.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232477-1/ https://www.suse.com/security/cve/CVE-2023-31130.html CVE-2023-31130 https://bugzilla.suse.com/1211606 SUSE Bug 1211606 c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. CVE-2023-31147 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libcares2-1.9.1-9.12.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libcares-devel-1.9.1-9.12.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libcares2-32bit-1.9.1-9.12.1 SUSE OpenStack Cloud 9:libcares2-1.9.1-9.12.1 SUSE OpenStack Cloud Crowbar 9:libcares2-1.9.1-9.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232477-1/ https://www.suse.com/security/cve/CVE-2023-31147.html CVE-2023-31147 https://bugzilla.suse.com/1211605 SUSE Bug 1211605 c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. CVE-2023-32067 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:libcares2-1.9.1-9.12.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libcares2-1.9.1-9.12.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libcares-devel-1.9.1-9.12.1 SUSE Linux Enterprise Workstation Extension 12 SP5:libcares2-32bit-1.9.1-9.12.1 SUSE OpenStack Cloud 9:libcares2-1.9.1-9.12.1 SUSE OpenStack Cloud Crowbar 9:libcares2-1.9.1-9.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232477-1/ https://www.suse.com/security/cve/CVE-2023-32067.html CVE-2023-32067 https://bugzilla.suse.com/1211604 SUSE Bug 1211604