Amazon Linux 2023 Security Advisory: ALAS-2024-581
Advisory Release Date: 2024-03-27 22:12 Pacific
Advisory Updated Date: 2024-03-27 22:12 Pacific
Severity:
Low
Issue Overview:
A flaw was found in Curl, where it inadvertently kept the SSL session ID for connections in its cache even when the verify status, OCSP stapling test, failed. A subsequent transfer to the same hostname could succeed if the session ID cache were still fresh, which then skips the verify status check. (CVE-2024-0853)
Affected Packages:
curl
Issue Correction:
Run dnf update curl --releasever 2023.4.20240401 to update your system.
New Packages:
aarch64:
libcurl-minimal-debuginfo-8.5.0-1.amzn2023.0.3.aarch64
curl-minimal-debuginfo-8.5.0-1.amzn2023.0.3.aarch64
libcurl-debuginfo-8.5.0-1.amzn2023.0.3.aarch64
curl-minimal-8.5.0-1.amzn2023.0.3.aarch64
libcurl-minimal-8.5.0-1.amzn2023.0.3.aarch64
curl-debugsource-8.5.0-1.amzn2023.0.3.aarch64
curl-debuginfo-8.5.0-1.amzn2023.0.3.aarch64
curl-8.5.0-1.amzn2023.0.3.aarch64
libcurl-8.5.0-1.amzn2023.0.3.aarch64
libcurl-devel-8.5.0-1.amzn2023.0.3.aarch64
src:
curl-8.5.0-1.amzn2023.0.3.src
x86_64:
curl-8.5.0-1.amzn2023.0.3.x86_64
curl-debugsource-8.5.0-1.amzn2023.0.3.x86_64
curl-debuginfo-8.5.0-1.amzn2023.0.3.x86_64
libcurl-minimal-debuginfo-8.5.0-1.amzn2023.0.3.x86_64
libcurl-8.5.0-1.amzn2023.0.3.x86_64
curl-minimal-8.5.0-1.amzn2023.0.3.x86_64
libcurl-minimal-8.5.0-1.amzn2023.0.3.x86_64
libcurl-debuginfo-8.5.0-1.amzn2023.0.3.x86_64
curl-minimal-debuginfo-8.5.0-1.amzn2023.0.3.x86_64
libcurl-devel-8.5.0-1.amzn2023.0.3.x86_64