[ALAS2-2024-2399] Amazon Linux 2 2017.12 - ALAS2-2024-2399: medium priority package update for c-ares

Severity Medium

Affected Packages 9

CVEs 3

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2023-31130:
ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist().

However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues.

CVE-2022-4904:
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

CVE-2021-3672:
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Package	Affected Version
pkg:rpm/amazonlinux/c-ares?arch=x86_64&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares?arch=i686&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares?arch=aarch64&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares-devel?arch=x86_64&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares-devel?arch=i686&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares-devel?arch=aarch64&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares-debuginfo?arch=x86_64&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares-debuginfo?arch=i686&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4
pkg:rpm/amazonlinux/c-ares-debuginfo?arch=aarch64&distro=amazonlinux-2	< 1.10.0-3.amzn2.0.4

ID

ALAS2-2024-2399

Severity

medium

URL

https://alas.aws.amazon.com/AL2/ALAS-2024-2399.html

Published

2024-01-03T21:04:00
(8 months ago)

Modified

2024-01-03T21:04:00
(8 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2021-3672	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672
CVE	CVE-2022-4904	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904
CVE	CVE-2023-31130	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31130

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/c-ares?arch=x86_64&distro=amazonlinux-2	amazonlinux	c-ares	< 1.10.0-3.amzn2.0.4	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/c-ares?arch=i686&distro=amazonlinux-2	amazonlinux	c-ares	< 1.10.0-3.amzn2.0.4	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/c-ares?arch=aarch64&distro=amazonlinux-2	amazonlinux	c-ares	< 1.10.0-3.amzn2.0.4	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/c-ares-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	c-ares-devel	< 1.10.0-3.amzn2.0.4	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/c-ares-devel?arch=i686&distro=amazonlinux-2	amazonlinux	c-ares-devel	< 1.10.0-3.amzn2.0.4	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/c-ares-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	c-ares-devel	< 1.10.0-3.amzn2.0.4	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/c-ares-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	c-ares-debuginfo	< 1.10.0-3.amzn2.0.4	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/c-ares-debuginfo?arch=i686&distro=amazonlinux-2	amazonlinux	c-ares-debuginfo	< 1.10.0-3.amzn2.0.4	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/c-ares-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	c-ares-debuginfo	< 1.10.0-3.amzn2.0.4	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date