Amazon Linux 2 Security Advisory: ALAS-2019-1378
Advisory Release Date: 2019-12-16 18:45 Pacific
Advisory Updated Date: 2019-12-18 01:23 Pacific
Severity:
Critical
Issue Overview:
A heap-based buffer overflow was discovered in OpenSLP in the way the slpd service processes URLs in service request messages. A remote unauthenticated attacker could register a service with a specially crafted URL that, when used during a service request message, would trigger the flaw and cause the program to crash or to remotely execute code with the privileges of the slpd service.(CVE-2019-5544)
Affected Packages:
openslp
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update openslp to update your system.
New Packages:
aarch64:
openslp-2.0.0-8.amzn2.aarch64
openslp-server-2.0.0-8.amzn2.aarch64
openslp-devel-2.0.0-8.amzn2.aarch64
openslp-debuginfo-2.0.0-8.amzn2.aarch64
i686:
openslp-2.0.0-8.amzn2.i686
openslp-server-2.0.0-8.amzn2.i686
openslp-devel-2.0.0-8.amzn2.i686
openslp-debuginfo-2.0.0-8.amzn2.i686
src:
openslp-2.0.0-8.amzn2.src
x86_64:
openslp-2.0.0-8.amzn2.x86_64
openslp-server-2.0.0-8.amzn2.x86_64
openslp-devel-2.0.0-8.amzn2.x86_64
openslp-debuginfo-2.0.0-8.amzn2.x86_64