安全公告详情

NS-SA-2025-0075

2025-05-28 09:42:11

简介

low: c-ares/tongsuo security update

严重级别

low

主题

An update for c-ares/tongsuo is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

c-ares:
tongsuo:


Security Fix(es):
c-ares: A vulnerability was found in c-ares where the ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.22.0, the /etc/hosts file. If the configuration files have an embedded NULL character as the first character in a new line, it can attempt to read memory before the start of the given buffer, which may result in a crash.(CVE-2024-25629)
c-ares: bugfix
tongsuo: A timing side-channel vulnerability was found in OpenSSL. This vulnerability allows an attacker to recover the private key. However, measuring the timing would require local access to the signing application or a fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This issue can happen with significant probability only for some of the supported elliptic curves. In particular, the NIST P-521 curve is affected.(CVE-2024-13176)
tongsuo: A flaw was found in OpenSSL. Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters make it possible to represent invalid field polynomials with a zero constant term via the affected APIs (EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions) may terminate abruptly as a result of reading or writing outside of array bounds.(CVE-2024-9143)
tongsuo: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.02B7.

影响组件

  • c-ares
  • tongsuo

影响产品

  • CGSL MAIN 7.02

更新包

{"fix":[{"product":"CGSL MAIN 7.02","pkgs":[{"binary":["c-ares-1.19.1-1.zncgsl7.4.x86_64.rpm"],"source":"c-ares-1.19.1-1.zncgsl7.4.src.rpm"},{"binary":["tongsuo-8.3.3-5.zncgsl7.21.x86_64.rpm","tongsuo-core-8.3.3-5.zncgsl7.21.x86_64.rpm"],"source":"tongsuo-8.3.3-5.zncgsl7.21.src.rpm"}]}]}
CGSL MAIN 7.02
  • c-ares-1.19.1-1.zncgsl7.4.src.rpm
    • c-ares-1.19.1-1.zncgsl7.4.x86_64.rpm
  • tongsuo-8.3.3-5.zncgsl7.21.src.rpm
    • tongsuo-8.3.3-5.zncgsl7.21.x86_64.rpm
    • tongsuo-core-8.3.3-5.zncgsl7.21.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108