Descriptionc-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)buster1.14.0-1+deb10u1vulnerable
buster (security)1.14.0-1+deb10u4vulnerable
bullseye (security), bullseye1.17.1-1+deb11u3vulnerable
sid, trixie1.31.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (cares-1_19_1)
No impact on binaries shipped by Debian

Search for package or bug name: Reporting problems