On Fri, Jun 23, 2023 at 06:48:23AM +0200, Anton Gladky wrote:
> Hi,
>
> two CVEs might be irrelevant for Debian systems. Can they be
> tagged as "unaffected"? Or we have some systems, where
> /dev/urandom is not existing?
They are already marked as non-issues:
CVE-2023-31124 (c-ares is an asynchronous resolver library. When
cross-compiling c-are ...)
- c-ares <unfixed> (unimportant)
NOTE: No impact on binaries shipped by Debian
CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom
or RtlGe ...)
- c-ares <unfixed> (unimportant)
NOTE: Any Debian system/port provides /dev/urandom
But in fact the view in the Debian security is a little misleading, given
that it displays "vulnerable" all over the place, e.g.
https://security-tracker.debian.org/tracker/CVE-2023-31147
It would be nice if that "unimportant" issues it would instead display "non
issue/no impact"
instead of "vulnerable.
Cheers,
Moritz
