Amazon Linux 2 Security Advisory: ALAS-2025-2743
Advisory Release Date: 2025-01-30 22:56 Pacific
Advisory Updated Date: 2025-02-04 11:02 Pacific
Severity:
Medium
Issue Overview:
CPython 3.9 and earlier doesn't disallow configuring an empty list for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). (CVE-2024-5642)
Affected Packages:
python3
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python3 to update your system.
New Packages:
aarch64:
python3-3.7.16-1.amzn2.0.9.aarch64
python3-libs-3.7.16-1.amzn2.0.9.aarch64
python3-devel-3.7.16-1.amzn2.0.9.aarch64
python3-tools-3.7.16-1.amzn2.0.9.aarch64
python3-tkinter-3.7.16-1.amzn2.0.9.aarch64
python3-test-3.7.16-1.amzn2.0.9.aarch64
python3-debug-3.7.16-1.amzn2.0.9.aarch64
python3-debuginfo-3.7.16-1.amzn2.0.9.aarch64
i686:
python3-3.7.16-1.amzn2.0.9.i686
python3-libs-3.7.16-1.amzn2.0.9.i686
python3-devel-3.7.16-1.amzn2.0.9.i686
python3-tools-3.7.16-1.amzn2.0.9.i686
python3-tkinter-3.7.16-1.amzn2.0.9.i686
python3-test-3.7.16-1.amzn2.0.9.i686
python3-debug-3.7.16-1.amzn2.0.9.i686
python3-debuginfo-3.7.16-1.amzn2.0.9.i686
src:
python3-3.7.16-1.amzn2.0.9.src
x86_64:
python3-3.7.16-1.amzn2.0.9.x86_64
python3-libs-3.7.16-1.amzn2.0.9.x86_64
python3-devel-3.7.16-1.amzn2.0.9.x86_64
python3-tools-3.7.16-1.amzn2.0.9.x86_64
python3-tkinter-3.7.16-1.amzn2.0.9.x86_64
python3-test-3.7.16-1.amzn2.0.9.x86_64
python3-debug-3.7.16-1.amzn2.0.9.x86_64
python3-debuginfo-3.7.16-1.amzn2.0.9.x86_64