Amazon Linux 2 Security Advisory: ALAS-2024-2721
Advisory Release Date: 2024-12-05 01:02 Pacific
Advisory Updated Date: 2024-12-19 16:00 Pacific
Severity:
Medium
Issue Overview:
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.
This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which fixes this issue. (CVE-2023-49582)
Affected Packages:
apr
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update apr to update your system.
New Packages:
aarch64:
apr-1.7.2-1.amzn2.0.1.aarch64
apr-devel-1.7.2-1.amzn2.0.1.aarch64
apr-debuginfo-1.7.2-1.amzn2.0.1.aarch64
i686:
apr-1.7.2-1.amzn2.0.1.i686
apr-devel-1.7.2-1.amzn2.0.1.i686
apr-debuginfo-1.7.2-1.amzn2.0.1.i686
src:
apr-1.7.2-1.amzn2.0.1.src
x86_64:
apr-1.7.2-1.amzn2.0.1.x86_64
apr-devel-1.7.2-1.amzn2.0.1.x86_64
apr-debuginfo-1.7.2-1.amzn2.0.1.x86_64