Amazon Linux 2 Security Advisory: ALAS-2023-2303
Advisory Release Date: 2023-10-12 15:09 Pacific
Advisory Updated Date: 2023-10-19 23:41 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. (CVE-2021-43565)
http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template. (CVE-2023-24538)
Affected Packages:
amazon-ssm-agent
Issue Correction:
Run yum update amazon-ssm-agent to update your system.
aarch64:
amazon-ssm-agent-3.2.1705.0-1.amzn2.aarch64
amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.aarch64
src:
amazon-ssm-agent-3.2.1705.0-1.amzn2.src
x86_64:
amazon-ssm-agent-3.2.1705.0-1.amzn2.x86_64
amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.x86_64