CVE-2023-31124 AutoTools does not set CARES_RANDOM_FILE during cross compilation

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARESRANDOMFILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand as a fallback which could allow an attacker to take advantage of the lack ...

CVE-2023-31124 AutoTools does not set CARES_RANDOM_FILE during cross compilation

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARESRANDOMFILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand as a fallback which could allow an attacker to take advantage of the lack ...

CVE-2023-31124

CVE-2023-31124 concerns c-ares where cross-compiling with autotools can leave CARES_RANDOM_FILE unset, causing a fallback to rand() for DNS query ID entropy rather than a CSPRNG. The result is reduced randomness and potential predictability of DNS IDs, raising security risk under entropy-limited ...

CVE-2023-31124 AutoTools does not set CARES_RANDOM_FILE during cross compilation

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARESRANDOMFILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand as a fallback which could allow an attacker to take advantage of the lack ...

maven bug fix and enhancement update

An update is available for plexus-interpolation, httpcomponents-core, maven-wagon, maven, google-guice, jsoup, jansi, apache-commons-io, apache-commons-lang3, maven-shared-utils, plexus-utils, plexus-classworlds, jakarta-annotations, httpcomponents-client, apache-commons-codec, plexus-cipher,...

Uncontrolled Resource Consumption

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful...

Use of Insufficiently Random Values

c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARESRANDOMFILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand as a fallback which could allow an attacker to take advantage of the lack ...

Buffer Underwrite ('Buffer Underflow')

c-ares is an asynchronous resolver library. aresinetnetpton is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to...

Oracle Linux 8 : bind9.16 (ELSA-2023-2792)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2792 advisory. - Handle subtle difference between upstream and rhel CVE-2022-3094 - Prevent flooding with UPDATE requests CVE-2022-3094 - Handle RRSIG queries when...

AlmaLinux 8 : bind9.16 (ALSA-2023:2792)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:2792 advisory. - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying...

SUSE CVE-2023-28320

A denial of service vulnerability exists in curl v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doi...

Internet Bug Bounty: CVE-2023-28320 - siglongjmp race condition

A race condition vulnerability CVE-2023-28320 existed in libcurl's synchronous resolver, which could allow a multi-threaded application to crash or misbehave due to the use of a global buffer that was not mutex protected. The vulnerability could result in a denial of service...

siglongjmp race condition

libcurl provides several different backends for resolving hostnames, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doing this, libcurl used a global buffer that was not mutex protected a...

CURL-CVE-2023-28320 siglongjmp race condition

libcurl provides several different backends for resolving hostnames, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doing this, libcurl used a global buffer that was not mutex protected a...

CVE-2023-28320

A denial of service vulnerability exists in curl v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doi...

PT-2023-3433 · Curl +5 · Curl +5

Name of the Vulnerable Software and Affected Versions: curl versions prior to 8.1.0 Description: A denial of service issue exists in the way libcurl provides several different backends for resolving host names. If libcurl is built to use the synchronous resolver, it allows name resolves to time-o...

bind: processing large delegations may severely degrade resolver performance

A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service...

Moderate: Red Hat Security Advisory: unbound security and bug fix update

An update for unbound is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

bind: sending specific queries to the resolver may cause a DoS

A flaw was found in Bind. When resolver receives many queries requiring recursion, there will be a corresponding increase in the number of clients waiting for recursion to complete. This may, under certain conditions, lead to an assertion failure and a denial of service...

Moderate: Red Hat Security Advisory: bind9.16 security and bug fix update

An update for bind9.16 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...