Amazon Linux 2 Security Advisory: ALASNITRO-ENCLAVES-2024-037
Advisory Release Date: 2024-02-01 20:10 Pacific
Advisory Updated Date: 2024-02-01 20:10 Pacific
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-39325)
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. (CVE-2023-3978)
Affected Packages:
containerd
Note:
This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update containerd to update your system.
aarch64:
containerd-1.7.11-1.amzn2.0.1.aarch64
containerd-stress-1.7.11-1.amzn2.0.1.aarch64
containerd-debuginfo-1.7.11-1.amzn2.0.1.aarch64
src:
containerd-1.7.11-1.amzn2.0.1.src
x86_64:
containerd-1.7.11-1.amzn2.0.1.x86_64
containerd-stress-1.7.11-1.amzn2.0.1.x86_64
containerd-debuginfo-1.7.11-1.amzn2.0.1.x86_64