Amazon Linux 2022 Security Advisory: ALAS-2022-053
Advisory Release Date: 2022-04-19 00:10 Pacific
Advisory Updated Date: 2022-04-22 15:16 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A flaw was found in the mod_lua module of httpd. A crafted request body can cause a read to a random memory area due to an uninitialized value in functions called by the parsebody function. The highest treat of this vulnerability is availability. (CVE-2022-22719)
A flaw was found in httpd. The inbound connection is not closed when it fails to discard the request body, which may expose the server to HTTP request smuggling. (CVE-2022-22720)
A flaw was found in httpd, where it incorrectly limits the value of the LimitXMLRequestBody option. This issue can lead to an integer overflow and later causes an out-of-bounds write. (CVE-2022-22721)
An out-of-bounds read/write vulnerability was found in the mod_sed module of httpd. This flaw allows an attacker to overwrite the memory of an httpd instance that is using mod_sed with data provided by the attacker. (CVE-2022-23943)
Affected Packages:
httpd
Issue Correction:
Run dnf update --releasever=2022.0.20220419 httpd to update your system.
aarch64:
httpd-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
httpd-tools-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
mod_ssl-2.4.53-3.amzn2022.0.1.aarch64
mod_session-2.4.53-3.amzn2022.0.1.aarch64
httpd-2.4.53-3.amzn2022.0.1.aarch64
mod_ssl-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
mod_lua-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
mod_lua-2.4.53-3.amzn2022.0.1.aarch64
mod_session-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
httpd-devel-2.4.53-3.amzn2022.0.1.aarch64
mod_proxy_html-2.4.53-3.amzn2022.0.1.aarch64
mod_ldap-2.4.53-3.amzn2022.0.1.aarch64
httpd-tools-2.4.53-3.amzn2022.0.1.aarch64
httpd-core-2.4.53-3.amzn2022.0.1.aarch64
mod_proxy_html-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
httpd-debugsource-2.4.53-3.amzn2022.0.1.aarch64
mod_ldap-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
httpd-core-debuginfo-2.4.53-3.amzn2022.0.1.aarch64
noarch:
httpd-filesystem-2.4.53-3.amzn2022.0.1.noarch
httpd-manual-2.4.53-3.amzn2022.0.1.noarch
src:
httpd-2.4.53-3.amzn2022.0.1.src
x86_64:
mod_ssl-2.4.53-3.amzn2022.0.1.x86_64
mod_ssl-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
mod_ldap-2.4.53-3.amzn2022.0.1.x86_64
httpd-devel-2.4.53-3.amzn2022.0.1.x86_64
httpd-debugsource-2.4.53-3.amzn2022.0.1.x86_64
mod_session-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
httpd-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
mod_ldap-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
mod_lua-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
mod_proxy_html-2.4.53-3.amzn2022.0.1.x86_64
mod_lua-2.4.53-3.amzn2022.0.1.x86_64
mod_session-2.4.53-3.amzn2022.0.1.x86_64
httpd-tools-2.4.53-3.amzn2022.0.1.x86_64
mod_proxy_html-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
httpd-2.4.53-3.amzn2022.0.1.x86_64
httpd-tools-debuginfo-2.4.53-3.amzn2022.0.1.x86_64
httpd-core-2.4.53-3.amzn2022.0.1.x86_64
httpd-core-debuginfo-2.4.53-3.amzn2022.0.1.x86_64