Amazon Linux 2023 Security Advisory: ALAS-2023-388
Advisory Release Date: 2023-10-12 16:11 Pacific
Advisory Updated Date: 2023-10-24 15:46 Pacific
Severity:
Important
References:
CVE-2021-43565
CVE-2022-41723
CVE-2023-24538
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. (CVE-2021-43565)
http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template. (CVE-2023-24538)
Affected Packages:
amazon-ssm-agent
Issue Correction:
Run dnf update amazon-ssm-agent --releasever 2023.2.20231018 to update your system.
New Packages:
aarch64:
amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2023.aarch64
amazon-ssm-agent-3.2.1705.0-1.amzn2023.aarch64
amazon-ssm-agent-debugsource-3.2.1705.0-1.amzn2023.aarch64
src:
amazon-ssm-agent-3.2.1705.0-1.amzn2023.src
x86_64:
amazon-ssm-agent-3.2.1705.0-1.amzn2023.x86_64
amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2023.x86_64
amazon-ssm-agent-debugsource-3.2.1705.0-1.amzn2023.x86_64