ALAS2023-2025-942

Amazon Linux 2023 Security Advisory: ALAS2023-2025-942
Advisory Released Date: 2025-04-29
Advisory Updated Date: 2025-04-29
Severity: Medium
Issue Overview:

c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5. (CVE-2025-31498)


Affected Packages:

nodejs20


Issue Correction:
Run dnf update nodejs20 --releasever 2023.7.20250428 to update your system.

New Packages:
aarch64:
    nodejs20-libs-debuginfo-20.19.0-1.amzn2023.0.1.aarch64
    nodejs20-debuginfo-20.19.0-1.amzn2023.0.1.aarch64
    nodejs20-devel-20.19.0-1.amzn2023.0.1.aarch64
    nodejs20-full-i18n-20.19.0-1.amzn2023.0.1.aarch64
    v8-11.3-devel-11.3.244.8-1.20.19.0.1.amzn2023.0.1.aarch64
    nodejs20-20.19.0-1.amzn2023.0.1.aarch64
    nodejs20-libs-20.19.0-1.amzn2023.0.1.aarch64
    nodejs20-npm-10.8.2-1.20.19.0.1.amzn2023.0.1.aarch64
    nodejs20-debugsource-20.19.0-1.amzn2023.0.1.aarch64

noarch:
    nodejs20-docs-20.19.0-1.amzn2023.0.1.noarch

src:
    nodejs20-20.19.0-1.amzn2023.0.1.src

x86_64:
    nodejs20-libs-debuginfo-20.19.0-1.amzn2023.0.1.x86_64
    nodejs20-full-i18n-20.19.0-1.amzn2023.0.1.x86_64
    nodejs20-libs-20.19.0-1.amzn2023.0.1.x86_64
    nodejs20-debuginfo-20.19.0-1.amzn2023.0.1.x86_64
    nodejs20-devel-20.19.0-1.amzn2023.0.1.x86_64
    v8-11.3-devel-11.3.244.8-1.20.19.0.1.amzn2023.0.1.x86_64
    nodejs20-20.19.0-1.amzn2023.0.1.x86_64
    nodejs20-npm-10.8.2-1.20.19.0.1.amzn2023.0.1.x86_64
    nodejs20-debugsource-20.19.0-1.amzn2023.0.1.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-31498

Mitre: CVE-2025-31498