ALAS2023-2023-066

Amazon Linux 2023 Security Advisory: ALAS-2023-066
Advisory Release Date: 2023-02-17 20:46 Pacific
Advisory Updated Date: 2023-05-23 19:25 Pacific
Severity: Medium
Issue Overview:

2023-05-23: The severity level was changed from Critical to Medium.

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. (CVE-2022-25147)


Affected Packages:

apr-util


Issue Correction:
Run dnf update apr-util --releasever=2023.0.20230222 to update your system.

New Packages:
aarch64:
    apr-util-ldap-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-pgsql-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-debugsource-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-odbc-debuginfo-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-debuginfo-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-openssl-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-odbc-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-mysql-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-sqlite-debuginfo-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-ldap-debuginfo-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-devel-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-mysql-debuginfo-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-sqlite-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-openssl-debuginfo-1.6.3-1.amzn2023.0.1.aarch64
    apr-util-pgsql-debuginfo-1.6.3-1.amzn2023.0.1.aarch64

src:
    apr-util-1.6.3-1.amzn2023.0.1.src

x86_64:
    apr-util-debugsource-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-odbc-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-odbc-debuginfo-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-devel-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-pgsql-debuginfo-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-ldap-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-debuginfo-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-openssl-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-pgsql-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-sqlite-debuginfo-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-sqlite-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-openssl-debuginfo-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-ldap-debuginfo-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-mysql-1.6.3-1.amzn2023.0.1.x86_64
    apr-util-mysql-debuginfo-1.6.3-1.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2022-25147

Mitre: CVE-2022-25147