Amazon Linux 2022 Security Advisory: ALAS-2022-095
Advisory Release Date: 2022-06-28 23:52 Pacific
Advisory Updated Date: 2022-07-19 19:44 Pacific
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. (CVE-2022-1348)
Affected Packages:
logrotate
Issue Correction:
Run dnf update --releasever=2022.0.20220628 logrotate to update your system.
aarch64:
logrotate-debugsource-3.20.1-2.amzn2022.aarch64
logrotate-debuginfo-3.20.1-2.amzn2022.aarch64
logrotate-3.20.1-2.amzn2022.aarch64
src:
logrotate-3.20.1-2.amzn2022.src
x86_64:
logrotate-debuginfo-3.20.1-2.amzn2022.x86_64
logrotate-debugsource-3.20.1-2.amzn2022.x86_64
logrotate-3.20.1-2.amzn2022.x86_64