Description of issue(s): When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. CVE-2023-31147 Insufficient randomness in generation of DNS query IDs (https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
Created c-ares tracking bugs for this issue: Affects: fedora-all [bug 2209542] Created mingw-c-ares tracking bugs for this issue: Affects: fedora-all [bug 2209543] Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2209539] Created nodejs16 tracking bugs for this issue: Affects: fedora-all [bug 2209544] Created nodejs18 tracking bugs for this issue: Affects: fedora-all [bug 2209545] Created nodejs20 tracking bugs for this issue: Affects: fedora-all [bug 2209546] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2209540] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2209541] Created nodejs:16/c-ares tracking bugs for this issue: Affects: fedora-all [bug 2209547]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3577 https://access.redhat.com/errata/RHSA-2023:3577
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3586 https://access.redhat.com/errata/RHSA-2023:3586
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4036 https://access.redhat.com/errata/RHSA-2023:4036
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:4039 https://access.redhat.com/errata/RHSA-2023:4039
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4035 https://access.redhat.com/errata/RHSA-2023:4035
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4034 https://access.redhat.com/errata/RHSA-2023:4034
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4033 https://access.redhat.com/errata/RHSA-2023:4033
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6635 https://access.redhat.com/errata/RHSA-2023:6635