Amazon Linux 2 Security Advisory: ALAS-2025-2744
Advisory Release Date: 2025-01-30 22:56 Pacific
Advisory Updated Date: 2025-02-04 11:02 Pacific
Severity:
Medium
Issue Overview:
CPython 3.9 and earlier doesn't disallow configuring an empty list for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). (CVE-2024-5642)
Affected Packages:
python
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python to update your system.
New Packages:
aarch64:
python-2.7.18-1.amzn2.0.10.aarch64
python-libs-2.7.18-1.amzn2.0.10.aarch64
python-devel-2.7.18-1.amzn2.0.10.aarch64
python-tools-2.7.18-1.amzn2.0.10.aarch64
tkinter-2.7.18-1.amzn2.0.10.aarch64
python-test-2.7.18-1.amzn2.0.10.aarch64
python-debug-2.7.18-1.amzn2.0.10.aarch64
python-debuginfo-2.7.18-1.amzn2.0.10.aarch64
i686:
python-2.7.18-1.amzn2.0.10.i686
python-libs-2.7.18-1.amzn2.0.10.i686
python-devel-2.7.18-1.amzn2.0.10.i686
python-tools-2.7.18-1.amzn2.0.10.i686
tkinter-2.7.18-1.amzn2.0.10.i686
python-test-2.7.18-1.amzn2.0.10.i686
python-debug-2.7.18-1.amzn2.0.10.i686
python-debuginfo-2.7.18-1.amzn2.0.10.i686
src:
python-2.7.18-1.amzn2.0.10.src
x86_64:
python-2.7.18-1.amzn2.0.10.x86_64
python-libs-2.7.18-1.amzn2.0.10.x86_64
python-devel-2.7.18-1.amzn2.0.10.x86_64
python-tools-2.7.18-1.amzn2.0.10.x86_64
tkinter-2.7.18-1.amzn2.0.10.x86_64
python-test-2.7.18-1.amzn2.0.10.x86_64
python-debug-2.7.18-1.amzn2.0.10.x86_64
python-debuginfo-2.7.18-1.amzn2.0.10.x86_64