ALAS-2024-502

Amazon Linux 2023 Security Advisory: ALAS-2024-502
Advisory Release Date: 2024-02-01 17:56 Pacific
Advisory Updated Date: 2024-02-06 15:00 Pacific
Severity: Low
Issue Overview:

A vulnerability was found in Linux PAM. An unprivileged user that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir can place a FIFO there, and a subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block the attempt, causing a local denial of service. (CVE-2024-22365)


Affected Packages:

pam


Issue Correction:
Run dnf update pam --releasever 2023.3.20240205 to update your system.

New Packages:
aarch64:
    pam-docs-1.5.1-8.amzn2023.0.4.aarch64
    pam-debugsource-1.5.1-8.amzn2023.0.4.aarch64
    pam-devel-1.5.1-8.amzn2023.0.4.aarch64
    pam-debuginfo-1.5.1-8.amzn2023.0.4.aarch64
    pam-1.5.1-8.amzn2023.0.4.aarch64

src:
    pam-1.5.1-8.amzn2023.0.4.src

x86_64:
    pam-docs-1.5.1-8.amzn2023.0.4.x86_64
    pam-devel-1.5.1-8.amzn2023.0.4.x86_64
    pam-debugsource-1.5.1-8.amzn2023.0.4.x86_64
    pam-debuginfo-1.5.1-8.amzn2023.0.4.x86_64
    pam-1.5.1-8.amzn2023.0.4.x86_64

Additional References

Red Hat: CVE-2024-22365

Mitre: CVE-2024-22365