安全公告详情

NS-SA-2024-0109

2024-05-18 16:44:15

简介

moderate: libcap/c-ares security update

严重级别

moderate

主题

An update for libcap/c-ares is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

libcap:
c-ares:


Security Fix(es):
libcap: A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.(CVE-2023-2602)
libcap: A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.(CVE-2023-2603)
libcap: bugfix
c-ares: A heap buffer over-read flaw was found in c-ares via the ares_parse_soa_reply function in ares_parse_soa_reply.c.(CVE-2020-22217)
c-ares: A vulnerability was found in c-ares. This issue occurs in the ares_inet_net_pton() function, which is vulnerable to a buffer underflow for certain ipv6 addresses. "0::00:00:00/2" in particular was found to cause an issue. C-ares only uses this function internally for configuration purposes, which would require an administrator to configure such an address via ares_set_sortlist().(CVE-2023-31130)
c-ares: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.(CVE-2022-4904)
c-ares: A vulnerability was found in c-ares. This issue occurs when /dev/urandom or RtlGenRandom() are unavailable, c-ares will use rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand(), so it will generate predictable output.(CVE-2023-31147)
c-ares: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.07B7.

影响组件

  • libcap
  • c-ares

影响产品

  • CGSL MAIN 6.06

更新包

{"fix":[{"product":"CGSL MAIN 6.06","pkgs":[{"binary":["libcap-debugsource-2.48-5.zncgsl6.t4.0.x86_64.rpm","libcap-debuginfo-2.48-5.zncgsl6.t4.0.x86_64.rpm","libcap-2.48-5.zncgsl6.t4.0.x86_64.rpm","libcap-static-2.48-5.zncgsl6.t4.0.x86_64.rpm","libcap-devel-2.48-5.zncgsl6.t4.0.x86_64.rpm"],"source":"libcap-2.48-5.zncgsl6.t4.0.src.rpm"},{"binary":["c-ares-devel-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm","c-ares-debuginfo-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm","c-ares-debugsource-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm","c-ares-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm"],"source":"c-ares-1.13.0-9.zncgsl6.1.t1.0.src.rpm"}]}]}
CGSL MAIN 6.06
  • libcap-2.48-5.zncgsl6.t4.0.src.rpm
    • libcap-debugsource-2.48-5.zncgsl6.t4.0.x86_64.rpm
    • libcap-debuginfo-2.48-5.zncgsl6.t4.0.x86_64.rpm
    • libcap-2.48-5.zncgsl6.t4.0.x86_64.rpm
    • libcap-static-2.48-5.zncgsl6.t4.0.x86_64.rpm
    • libcap-devel-2.48-5.zncgsl6.t4.0.x86_64.rpm
  • c-ares-1.13.0-9.zncgsl6.1.t1.0.src.rpm
    • c-ares-devel-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm
    • c-ares-debuginfo-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm
    • c-ares-debugsource-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm
    • c-ares-1.13.0-9.zncgsl6.1.t1.0.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108