Amazon Linux 2022 Security Advisory: ALAS-2022-084
Advisory Release Date: 2022-06-01 17:54 Pacific
Advisory Updated Date: 2022-06-10 00:14 Pacific
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. (CVE-2022-1348)
Affected Packages:
logrotate
Issue Correction:
Run dnf update --releasever=2022.0.20220518 logrotate to update your system.
aarch64:
logrotate-debuginfo-3.18.0-3.amzn2022.0.1.aarch64
logrotate-debugsource-3.18.0-3.amzn2022.0.1.aarch64
logrotate-3.18.0-3.amzn2022.0.1.aarch64
src:
logrotate-3.18.0-3.amzn2022.0.1.src
x86_64:
logrotate-debugsource-3.18.0-3.amzn2022.0.1.x86_64
logrotate-debuginfo-3.18.0-3.amzn2022.0.1.x86_64
logrotate-3.18.0-3.amzn2022.0.1.x86_64