ALAS2-2023-1937

Amazon Linux 2 Security Advisory: ALAS-2023-1937
Advisory Release Date: 2023-02-13 16:57 Pacific
Advisory Updated Date: 2023-05-23 19:24 Pacific
Severity: Medium
Issue Overview:

2023-05-23: The severity level was changed from Critical to Medium.

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. (CVE-2022-25147)


Affected Packages:

apr-util


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update apr-util to update your system.

New Packages:
aarch64:
    apr-util-1.6.3-1.amzn2.0.1.aarch64
    apr-util-devel-1.6.3-1.amzn2.0.1.aarch64
    apr-util-pgsql-1.6.3-1.amzn2.0.1.aarch64
    apr-util-bdb-1.6.3-1.amzn2.0.1.aarch64
    apr-util-mysql-1.6.3-1.amzn2.0.1.aarch64
    apr-util-sqlite-1.6.3-1.amzn2.0.1.aarch64
    apr-util-odbc-1.6.3-1.amzn2.0.1.aarch64
    apr-util-ldap-1.6.3-1.amzn2.0.1.aarch64
    apr-util-openssl-1.6.3-1.amzn2.0.1.aarch64
    apr-util-nss-1.6.3-1.amzn2.0.1.aarch64
    apr-util-debuginfo-1.6.3-1.amzn2.0.1.aarch64

i686:
    apr-util-1.6.3-1.amzn2.0.1.i686
    apr-util-devel-1.6.3-1.amzn2.0.1.i686
    apr-util-pgsql-1.6.3-1.amzn2.0.1.i686
    apr-util-bdb-1.6.3-1.amzn2.0.1.i686
    apr-util-mysql-1.6.3-1.amzn2.0.1.i686
    apr-util-sqlite-1.6.3-1.amzn2.0.1.i686
    apr-util-odbc-1.6.3-1.amzn2.0.1.i686
    apr-util-ldap-1.6.3-1.amzn2.0.1.i686
    apr-util-openssl-1.6.3-1.amzn2.0.1.i686
    apr-util-nss-1.6.3-1.amzn2.0.1.i686
    apr-util-debuginfo-1.6.3-1.amzn2.0.1.i686

src:
    apr-util-1.6.3-1.amzn2.0.1.src

x86_64:
    apr-util-1.6.3-1.amzn2.0.1.x86_64
    apr-util-devel-1.6.3-1.amzn2.0.1.x86_64
    apr-util-pgsql-1.6.3-1.amzn2.0.1.x86_64
    apr-util-bdb-1.6.3-1.amzn2.0.1.x86_64
    apr-util-mysql-1.6.3-1.amzn2.0.1.x86_64
    apr-util-sqlite-1.6.3-1.amzn2.0.1.x86_64
    apr-util-odbc-1.6.3-1.amzn2.0.1.x86_64
    apr-util-ldap-1.6.3-1.amzn2.0.1.x86_64
    apr-util-openssl-1.6.3-1.amzn2.0.1.x86_64
    apr-util-nss-1.6.3-1.amzn2.0.1.x86_64
    apr-util-debuginfo-1.6.3-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2022-25147

Mitre: CVE-2022-25147