ALAS2-2019-1378


Amazon Linux 2 Security Advisory: ALAS-2019-1378
Advisory Release Date: 2019-12-16 18:45 Pacific
Advisory Updated Date: 2019-12-18 01:23 Pacific
Severity: Critical
References: CVE-2019-5544 

Issue Overview:

A heap-based buffer overflow was discovered in OpenSLP in the way the slpd service processes URLs in service request messages. A remote unauthenticated attacker could register a service with a specially crafted URL that, when used during a service request message, would trigger the flaw and cause the program to crash or to remotely execute code with the privileges of the slpd service.(CVE-2019-5544)


Affected Packages:

openslp


Issue Correction:
Run yum update openslp to update your system.

New Packages:
aarch64:
    openslp-2.0.0-8.amzn2.aarch64
    openslp-server-2.0.0-8.amzn2.aarch64
    openslp-devel-2.0.0-8.amzn2.aarch64
    openslp-debuginfo-2.0.0-8.amzn2.aarch64

i686:
    openslp-2.0.0-8.amzn2.i686
    openslp-server-2.0.0-8.amzn2.i686
    openslp-devel-2.0.0-8.amzn2.i686
    openslp-debuginfo-2.0.0-8.amzn2.i686

src:
    openslp-2.0.0-8.amzn2.src

x86_64:
    openslp-2.0.0-8.amzn2.x86_64
    openslp-server-2.0.0-8.amzn2.x86_64
    openslp-devel-2.0.0-8.amzn2.x86_64
    openslp-debuginfo-2.0.0-8.amzn2.x86_64