ALAS-2024-2547

Amazon Linux 2 Security Advisory: ALAS-2024-2547
Advisory Release Date: 2024-05-23 22:04 Pacific
Advisory Updated Date: 2024-05-29 12:00 Pacific

Severity: Important

References: CVE-2024-32487
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. (CVE-2024-32487)

Affected Packages:

less

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update less to update your system.

New Packages:

aarch64:
    less-458-9.amzn2.0.4.aarch64
    less-debuginfo-458-9.amzn2.0.4.aarch64

i686:
    less-458-9.amzn2.0.4.i686
    less-debuginfo-458-9.amzn2.0.4.i686

src:
    less-458-9.amzn2.0.4.src

x86_64:
    less-458-9.amzn2.0.4.x86_64
    less-debuginfo-458-9.amzn2.0.4.x86_64

Additional References

Red Hat: CVE-2024-32487

Mitre: CVE-2024-32487

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-2547

Additional References