Oracle Linux: CVE-2023-31130: ELSA-2023-3577: 18 security update (IMPORTANT) (Multiple Advisories)

Oracle Linux: CVE-2023-31130: ELSA-2023-3577: 18 security update (IMPORTANT) (Multiple Advisories)

Severity

5

CVSS

(AV:L/AC:H/Au:M/C:N/I:C/A:C)

Published

05/22/2023

Created

06/16/2023

Added

06/15/2023

Modified

01/23/2025

Description

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. A vulnerability was found in c-ares. This issue occurs in the ares_inet_net_pton() function, which is vulnerable to a buffer underflow for certain ipv6 addresses. "0::00:00:00/2" in particular was found to cause an issue. C-ares only uses this function internally for configuration purposes, which would require an administrator to configure such an address via ares_set_sortlist().

Solution(s)

• oracle-linux-upgrade-c-ares
• oracle-linux-upgrade-c-ares-devel
• oracle-linux-upgrade-nodejs
• oracle-linux-upgrade-nodejs-devel
• oracle-linux-upgrade-nodejs-docs
• oracle-linux-upgrade-nodejs-full-i18n
• oracle-linux-upgrade-nodejs-libs
• oracle-linux-upgrade-nodejs-nodemon
• oracle-linux-upgrade-nodejs-packaging
• oracle-linux-upgrade-nodejs-packaging-bundler
• oracle-linux-upgrade-npm

References

• https://attackerkb.com/topics/cve-2023-31130
• CVE - 2023-31130
• ELSA-2023-3577
• ELSA-2023-4035
• ELSA-2023-4034
• ELSA-2023-6635
• ELSA-2023-7207
• ELSA-2023-3586

View more