ALAS2023-2023-363

Amazon Linux 2023 Security Advisory: ALAS-2023-363
Advisory Release Date: 2023-09-27 21:05 Pacific
Advisory Updated Date: 2023-10-03 20:50 Pacific
Severity: Medium
Issue Overview:

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0. (CVE-2023-41915)


Affected Packages:

pmix


Issue Correction:
Run dnf update pmix --releasever 2023.2.20231002 to update your system.

New Packages:
aarch64:
    pmix-pmi-debuginfo-3.2.3-1.amzn2023.0.3.aarch64
    pmix-tools-debuginfo-3.2.3-1.amzn2023.0.3.aarch64
    pmix-tools-3.2.3-1.amzn2023.0.3.aarch64
    pmix-pmi-devel-3.2.3-1.amzn2023.0.3.aarch64
    pmix-3.2.3-1.amzn2023.0.3.aarch64
    pmix-pmi-3.2.3-1.amzn2023.0.3.aarch64
    pmix-devel-3.2.3-1.amzn2023.0.3.aarch64
    pmix-debuginfo-3.2.3-1.amzn2023.0.3.aarch64
    pmix-debugsource-3.2.3-1.amzn2023.0.3.aarch64

src:
    pmix-3.2.3-1.amzn2023.0.3.src

x86_64:
    pmix-pmi-debuginfo-3.2.3-1.amzn2023.0.3.x86_64
    pmix-pmi-devel-3.2.3-1.amzn2023.0.3.x86_64
    pmix-tools-3.2.3-1.amzn2023.0.3.x86_64
    pmix-devel-3.2.3-1.amzn2023.0.3.x86_64
    pmix-tools-debuginfo-3.2.3-1.amzn2023.0.3.x86_64
    pmix-pmi-3.2.3-1.amzn2023.0.3.x86_64
    pmix-debuginfo-3.2.3-1.amzn2023.0.3.x86_64
    pmix-3.2.3-1.amzn2023.0.3.x86_64
    pmix-debugsource-3.2.3-1.amzn2023.0.3.x86_64

Additional References

Red Hat: CVE-2023-41915

Mitre: CVE-2023-41915