Amazon Linux 2023 Security Advisory: ALAS-2023-280
Advisory Release Date: 2023-08-03 20:26 Pacific
Advisory Updated Date: 2023-08-09 23:15 Pacific
Severity:
Medium
Issue Overview:
A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user. (CVE-2023-33201)
Affected Packages:
bouncycastle
Issue Correction:
Run dnf update bouncycastle --releasever 2023.1.20230809 to update your system.
New Packages:
noarch:
bouncycastle-mail-1.70-4.amzn2023.0.3.noarch
bouncycastle-pkix-1.70-4.amzn2023.0.3.noarch
bouncycastle-pg-1.70-4.amzn2023.0.3.noarch
bouncycastle-tls-1.70-4.amzn2023.0.3.noarch
bouncycastle-util-1.70-4.amzn2023.0.3.noarch
bouncycastle-1.70-4.amzn2023.0.3.noarch
bouncycastle-javadoc-1.70-4.amzn2023.0.3.noarch
src:
bouncycastle-1.70-4.amzn2023.0.3.src