QID 357334
Date Published: 2024-03-19
QID 357334: Amazon Linux Security Advisory for c-ares : ALAS2-2024-2494
C-ares is a c library for asynchronous dns requests.
`ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `hostaliases` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file.
If any of these configuration files has an embedded `null` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash.
This issue is fixed in c-ares 1.27.0.
No known workarounds exist. (
( CVE-2024-25629)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
Solution
Please refer to Amazon advisory: ALAS2-2024-2494 for affected packages and patching details, or update with your package manager.
Vendor References
- ALAS2-2024-2494 -
alas.aws.amazon.com/AL2/ALAS-2024-2494.html
CVEs related to QID 357334
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALAS2-2024-2494 | amazon linux 2 |
alas.aws.amazon.com/AL2/ALAS-2024-2494.html |