Amazon Linux 2 Security Advisory: ALAS-2019-1154
Advisory Release Date: 2019-01-23 23:30 Pacific
Advisory Updated Date: 2019-01-25 01:05 Pacific
Severity:
Important
Issue Overview:
Heap-based buffer overflow vulnerability in extract_status_code() function in lib/html.c that parses HTTP status code returned from web server allows malicious web server or man-in-the-middle attacker pretending to be a web server to cause either a denial of service or potentially execute arbitrary code on keepalived load balancer.(CVE-2018-19115)
Affected Packages:
keepalived
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update keepalived to update your system.
New Packages:
aarch64:
keepalived-1.3.5-8.amzn2.aarch64
keepalived-debuginfo-1.3.5-8.amzn2.aarch64
i686:
keepalived-1.3.5-8.amzn2.i686
keepalived-debuginfo-1.3.5-8.amzn2.i686
src:
keepalived-1.3.5-8.amzn2.src
x86_64:
keepalived-1.3.5-8.amzn2.x86_64
keepalived-debuginfo-1.3.5-8.amzn2.x86_64