Amazon Linux 2023 Security Advisory: ALAS-2023-015
Advisory Release Date: 2023-02-17 20:43 Pacific
Advisory Updated Date: 2023-02-22 23:57 Pacific
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. (CVE-2021-3520)
Affected Packages:
lz4
Issue Correction:
Run dnf update lz4 --releasever=2023.0.20230222 to update your system.
aarch64:
lz4-libs-1.9.4-1.amzn2023.0.2.aarch64
lz4-1.9.4-1.amzn2023.0.2.aarch64
lz4-libs-debuginfo-1.9.4-1.amzn2023.0.2.aarch64
lz4-debuginfo-1.9.4-1.amzn2023.0.2.aarch64
lz4-static-1.9.4-1.amzn2023.0.2.aarch64
lz4-debugsource-1.9.4-1.amzn2023.0.2.aarch64
lz4-devel-1.9.4-1.amzn2023.0.2.aarch64
src:
lz4-1.9.4-1.amzn2023.0.2.src
x86_64:
lz4-debuginfo-1.9.4-1.amzn2023.0.2.x86_64
lz4-libs-1.9.4-1.amzn2023.0.2.x86_64
lz4-static-1.9.4-1.amzn2023.0.2.x86_64
lz4-libs-debuginfo-1.9.4-1.amzn2023.0.2.x86_64
lz4-debugsource-1.9.4-1.amzn2023.0.2.x86_64
lz4-devel-1.9.4-1.amzn2023.0.2.x86_64
lz4-1.9.4-1.amzn2023.0.2.x86_64