Amazon Linux 2022 Security Advisory: ALAS-2022-189
Advisory Release Date: 2022-11-01 21:24 Pacific
Advisory Updated Date: 2022-11-03 20:58 Pacific
A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. (CVE-2022-1348)
Affected Packages:
logrotate
Issue Correction:
Run dnf update logrotate --releasever=2022.0.20221102 to update your system.
aarch64:
logrotate-debugsource-3.20.1-2.amzn2022.0.2.aarch64
logrotate-debuginfo-3.20.1-2.amzn2022.0.2.aarch64
logrotate-3.20.1-2.amzn2022.0.2.aarch64
src:
logrotate-3.20.1-2.amzn2022.0.2.src
x86_64:
logrotate-debugsource-3.20.1-2.amzn2022.0.2.x86_64
logrotate-debuginfo-3.20.1-2.amzn2022.0.2.x86_64
logrotate-3.20.1-2.amzn2022.0.2.x86_64