Amazon Linux 2023 Security Advisory: ALAS-2023-096
Advisory Release Date: 2023-02-17 20:47 Pacific
Advisory Updated Date: 2023-02-22 23:27 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. (CVE-2022-23308)
A flaw was found in the libxml2 library in functions used to manipulate the xmlBuf and the xmlBuffer types. A substantial input causes values to calculate buffer sizes to overflow, resulting in an out-of-bounds write. (CVE-2022-29824)
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. (CVE-2022-40304)
Affected Packages:
libxml2
Issue Correction:
Run dnf update libxml2 --releasever=2023.0.20230222 to update your system.
aarch64:
python3-libxml2-debuginfo-2.10.3-2.amzn2023.0.1.aarch64
libxml2-debugsource-2.10.3-2.amzn2023.0.1.aarch64
libxml2-static-2.10.3-2.amzn2023.0.1.aarch64
libxml2-devel-2.10.3-2.amzn2023.0.1.aarch64
libxml2-debuginfo-2.10.3-2.amzn2023.0.1.aarch64
libxml2-2.10.3-2.amzn2023.0.1.aarch64
python3-libxml2-2.10.3-2.amzn2023.0.1.aarch64
src:
libxml2-2.10.3-2.amzn2023.0.1.src
x86_64:
libxml2-devel-2.10.3-2.amzn2023.0.1.x86_64
python3-libxml2-debuginfo-2.10.3-2.amzn2023.0.1.x86_64
libxml2-debuginfo-2.10.3-2.amzn2023.0.1.x86_64
python3-libxml2-2.10.3-2.amzn2023.0.1.x86_64
libxml2-debugsource-2.10.3-2.amzn2023.0.1.x86_64
libxml2-2.10.3-2.amzn2023.0.1.x86_64
libxml2-static-2.10.3-2.amzn2023.0.1.x86_64