Amazon Linux 2 Security Advisory: ALASOPENSSL-SNAPSAFE-2023-001
Advisory Release Date: 2023-07-17 19:27 Pacific
Advisory Updated Date: 2023-09-25 22:08 Pacific
A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script. (CVE-2022-2068)
Affected Packages:
openssl-snapsafe
Note:
This advisory is applicable to Amazon Linux 2 - Openssl-snapsafe Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update openssl-snapsafe to update your system.
aarch64:
openssl-snapsafe-1.0.2k-24.amzn2.0.6.aarch64
openssl-snapsafe-libs-1.0.2k-24.amzn2.0.6.aarch64
openssl-snapsafe-devel-1.0.2k-24.amzn2.0.6.aarch64
openssl-snapsafe-static-1.0.2k-24.amzn2.0.6.aarch64
openssl-snapsafe-perl-1.0.2k-24.amzn2.0.6.aarch64
openssl-snapsafe-debuginfo-1.0.2k-24.amzn2.0.6.aarch64
i686:
openssl-snapsafe-1.0.2k-24.amzn2.0.6.i686
openssl-snapsafe-libs-1.0.2k-24.amzn2.0.6.i686
openssl-snapsafe-devel-1.0.2k-24.amzn2.0.6.i686
openssl-snapsafe-static-1.0.2k-24.amzn2.0.6.i686
openssl-snapsafe-perl-1.0.2k-24.amzn2.0.6.i686
openssl-snapsafe-debuginfo-1.0.2k-24.amzn2.0.6.i686
src:
openssl-snapsafe-1.0.2k-24.amzn2.0.6.src
x86_64:
openssl-snapsafe-1.0.2k-24.amzn2.0.6.x86_64
openssl-snapsafe-libs-1.0.2k-24.amzn2.0.6.x86_64
openssl-snapsafe-devel-1.0.2k-24.amzn2.0.6.x86_64
openssl-snapsafe-static-1.0.2k-24.amzn2.0.6.x86_64
openssl-snapsafe-perl-1.0.2k-24.amzn2.0.6.x86_64
openssl-snapsafe-debuginfo-1.0.2k-24.amzn2.0.6.x86_64