Amazon Linux 2 Security Advisory: ALAS2ECS-2025-091
Advisory Released Date: 2026-01-05
Advisory Updated Date: 2026-01-05
FAQs regarding Amazon Linux ALAS/CVE Severity
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. (CVE-2025-47914)
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. (CVE-2025-58181)
crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. (CVE-2025-61727)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. (CVE-2025-61729)
Affected Packages:
containerd
Note:
This advisory is applicable to Amazon Linux 2 - Ecs Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update containerd or yum update --advisory ALAS2ECS-2025-091 to update your system.
aarch64:
containerd-2.1.5-1.amzn2.0.3.aarch64
containerd-stress-2.1.5-1.amzn2.0.3.aarch64
containerd-debuginfo-2.1.5-1.amzn2.0.3.aarch64
src:
containerd-2.1.5-1.amzn2.0.3.src
x86_64:
containerd-2.1.5-1.amzn2.0.3.x86_64
containerd-stress-2.1.5-1.amzn2.0.3.x86_64
containerd-debuginfo-2.1.5-1.amzn2.0.3.x86_64