Amazon Linux 2 Security Advisory: ALAS-2024-2646
Advisory Release Date: 2024-09-25 22:07 Pacific
Advisory Updated Date: 2024-10-02 14:30 Pacific
Insufficient randomness in generation of DNS query IDs
When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output.
Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation.
No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. (CVE-2023-31147)
Affected Packages:
c-ares
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update c-ares to update your system.
aarch64:
c-ares-1.19.1-1.amzn2.0.1.aarch64
c-ares-devel-1.19.1-1.amzn2.0.1.aarch64
c-ares-debuginfo-1.19.1-1.amzn2.0.1.aarch64
i686:
c-ares-1.19.1-1.amzn2.0.1.i686
c-ares-devel-1.19.1-1.amzn2.0.1.i686
c-ares-debuginfo-1.19.1-1.amzn2.0.1.i686
src:
c-ares-1.19.1-1.amzn2.0.1.src
x86_64:
c-ares-1.19.1-1.amzn2.0.1.x86_64
c-ares-devel-1.19.1-1.amzn2.0.1.x86_64
c-ares-debuginfo-1.19.1-1.amzn2.0.1.x86_64