Hi,

two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?

Thanks

Anton

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Jun 23, 2023 at 06:48:23AM +0200, Anton Gladky wrote:

Hi,

two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?

They are already marked as non-issues:

CVE-2023-31124 (c-ares is an asynchronous resolver library. When cross-compiling c-are ...)
- c-ares <unfixed> (unimportant)
NOTE: No impact on binaries shipped by Debian

CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...) - c-ares <
unfixed> (unimportant) NOTE: Any Debian system/port
provides /dev/urandom

But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g. https://security-tracker.debian.org/tracker/CVE-2023-31147

It would be nice if that "unimportant" issues it would instead display "non issue/no impact"
instead of "vulnerable.

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Anton, all

Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.

I would have marked them as "minor issue".

Cheers

// Ola


On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gladk@debian.org> wrote:

Hi,

two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?

Thanks

Anton

--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thank you all for your replies!

@Moritz, could you please create an issue with a
the possible proposal, how it should look like?

Best regards

Anton

Am Fr., 23. Juni 2023 um 20:49 Uhr schrieb Ola Lundqvist <ola@inguza.com>:

Hi Anton, all

Well even if there are some systems affected I must say that if
someone have removed urandom the behavior described is expected. I
mean /dev/urandom is there for a reason. And yes there are better
functions than rand() but I can hardly see this as a vulnerability. Or
well it is, but it is the kind of vulnerability when you remove the
device that provide randomness in the system.

I would have marked them as "minor issue".

Cheers

// Ola

On Fri, 23 Jun 2023 at 06:49, Anton Gladky <gladk@debian.org> wrote:

Hi,

two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?

Thanks

Anton

--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Fri, Jun 23, 2023 at 09:59:45PM +0200 schrieb Anton Gladky:

Thank you all for your replies!

@Moritz, could you please create an issue with a
the possible proposal, how it should look like?

Sure, filed as #1039606

Thanks,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)