ALAS2-2019-1154


Amazon Linux 2 Security Advisory: ALAS-2019-1154
Advisory Release Date: 2019-01-25 01:05 Pacific
Severity: Important
References: CVE-2018-19115 

Issue Overview:

Heap-based buffer overflow vulnerability in extract_status_code() function in lib/html.c that parses HTTP status code returned from web server allows malicious web server or man-in-the-middle attacker pretending to be a web server to cause either a denial of service or potentially execute arbitrary code on keepalived load balancer.(CVE-2018-19115 )


Affected Packages:

keepalived


Issue Correction:
Run yum update keepalived to update your system.

New Packages:
aarch64:
    keepalived-1.3.5-8.amzn2.aarch64
    keepalived-debuginfo-1.3.5-8.amzn2.aarch64

i686:
    keepalived-1.3.5-8.amzn2.i686
    keepalived-debuginfo-1.3.5-8.amzn2.i686

src:
    keepalived-1.3.5-8.amzn2.src

x86_64:
    keepalived-1.3.5-8.amzn2.x86_64
    keepalived-debuginfo-1.3.5-8.amzn2.x86_64