ALAS2-2019-1154


Amazon Linux 2 Security Advisory: ALAS-2019-1154
Advisory Release Date: 2019-01-23 23:30 Pacific
Advisory Updated Date: 2019-01-25 01:05 Pacific
Severity: Important

Issue Overview:

Heap-based buffer overflow vulnerability in extract_status_code() function in lib/html.c that parses HTTP status code returned from web server allows malicious web server or man-in-the-middle attacker pretending to be a web server to cause either a denial of service or potentially execute arbitrary code on keepalived load balancer.(CVE-2018-19115)


Affected Packages:

keepalived


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update keepalived to update your system.

New Packages:
aarch64:
    keepalived-1.3.5-8.amzn2.aarch64
    keepalived-debuginfo-1.3.5-8.amzn2.aarch64

i686:
    keepalived-1.3.5-8.amzn2.i686
    keepalived-debuginfo-1.3.5-8.amzn2.i686

src:
    keepalived-1.3.5-8.amzn2.src

x86_64:
    keepalived-1.3.5-8.amzn2.x86_64
    keepalived-debuginfo-1.3.5-8.amzn2.x86_64