ALAS-2024-507

Amazon Linux 2023 Security Advisory: ALAS-2024-507
Advisory Release Date: 2024-02-01 17:56 Pacific
Advisory Updated Date: 2024-02-06 15:00 Pacific
Severity: Important
Issue Overview:

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

NOTE: https://sqlite.org/forum/forumpost/5bcbf4571c
NOTE: Fixed by: https://sqlite.org/src/info/0e4e7a05c4204b47 (CVE-2023-7104)


Affected Packages:

nss


Issue Correction:
Run dnf update nss --releasever 2023.3.20240205 to update your system.

New Packages:
aarch64:
    nss-softokn-freebl-debuginfo-3.90.0-3.amzn2023.0.5.aarch64
    nss-softokn-debuginfo-3.90.0-3.amzn2023.0.5.aarch64
    nss-tools-debuginfo-3.90.0-3.amzn2023.0.5.aarch64
    nss-util-3.90.0-3.amzn2023.0.5.aarch64
    nss-devel-3.90.0-3.amzn2023.0.5.aarch64
    nss-softokn-devel-3.90.0-3.amzn2023.0.5.aarch64
    nss-pkcs11-devel-3.90.0-3.amzn2023.0.5.aarch64
    nspr-4.35.0-5.amzn2023.0.5.aarch64
    nss-sysinit-3.90.0-3.amzn2023.0.5.aarch64
    nss-softokn-freebl-3.90.0-3.amzn2023.0.5.aarch64
    nss-sysinit-debuginfo-3.90.0-3.amzn2023.0.5.aarch64
    nss-debuginfo-3.90.0-3.amzn2023.0.5.aarch64
    nss-util-debuginfo-3.90.0-3.amzn2023.0.5.aarch64
    nspr-debuginfo-4.35.0-5.amzn2023.0.5.aarch64
    nss-debugsource-3.90.0-3.amzn2023.0.5.aarch64
    nss-softokn-freebl-devel-3.90.0-3.amzn2023.0.5.aarch64
    nss-softokn-3.90.0-3.amzn2023.0.5.aarch64
    nspr-devel-4.35.0-5.amzn2023.0.5.aarch64
    nss-util-devel-3.90.0-3.amzn2023.0.5.aarch64
    nss-3.90.0-3.amzn2023.0.5.aarch64
    nss-tools-3.90.0-3.amzn2023.0.5.aarch64

src:
    nss-3.90.0-3.amzn2023.0.5.src

x86_64:
    nss-debuginfo-3.90.0-3.amzn2023.0.5.x86_64
    nss-util-debuginfo-3.90.0-3.amzn2023.0.5.x86_64
    nss-softokn-freebl-devel-3.90.0-3.amzn2023.0.5.x86_64
    nss-softokn-freebl-debuginfo-3.90.0-3.amzn2023.0.5.x86_64
    nss-util-3.90.0-3.amzn2023.0.5.x86_64
    nss-sysinit-debuginfo-3.90.0-3.amzn2023.0.5.x86_64
    nss-softokn-debuginfo-3.90.0-3.amzn2023.0.5.x86_64
    nss-softokn-devel-3.90.0-3.amzn2023.0.5.x86_64
    nspr-devel-4.35.0-5.amzn2023.0.5.x86_64
    nss-tools-debuginfo-3.90.0-3.amzn2023.0.5.x86_64
    nspr-debuginfo-4.35.0-5.amzn2023.0.5.x86_64
    nss-util-devel-3.90.0-3.amzn2023.0.5.x86_64
    nss-devel-3.90.0-3.amzn2023.0.5.x86_64
    nss-sysinit-3.90.0-3.amzn2023.0.5.x86_64
    nss-pkcs11-devel-3.90.0-3.amzn2023.0.5.x86_64
    nss-softokn-3.90.0-3.amzn2023.0.5.x86_64
    nss-debugsource-3.90.0-3.amzn2023.0.5.x86_64
    nspr-4.35.0-5.amzn2023.0.5.x86_64
    nss-tools-3.90.0-3.amzn2023.0.5.x86_64
    nss-softokn-freebl-3.90.0-3.amzn2023.0.5.x86_64
    nss-3.90.0-3.amzn2023.0.5.x86_64

Additional References

Red Hat: CVE-2023-7104

Mitre: CVE-2023-7104