ALAS-2024-679

Amazon Linux 2023 Security Advisory: ALAS-2024-679
Advisory Release Date: 2024-08-01 04:06 Pacific
Advisory Updated Date: 2025-02-26 19:34 Pacific

Severity: Important

References: CVE-2024-40947 CVE-2024-41019 CVE-2024-41020 CVE-2024-41035 CVE-2024-41041 CVE-2024-41049 CVE-2024-41050 CVE-2024-41055 CVE-2024-41057 CVE-2024-41058 CVE-2024-41073 CVE-2024-41077 CVE-2024-41090 CVE-2024-41091 CVE-2024-42136 CVE-2024-42154
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

ima: Avoid blocking in RCU read-side critical section (CVE-2024-40947)

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Validate ff offset (CVE-2024-41019)

In the Linux kernel, the following vulnerability has been resolved:

filelock: Fix fcntl/close race recovery compat path (CVE-2024-41020)

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor (CVE-2024-41035)

In the Linux kernel, the following vulnerability has been resolved:

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). (CVE-2024-41041)

In the Linux kernel, the following vulnerability has been resolved:

filelock: fix potential use-after-free in posix_lock_inode (CVE-2024-41049)

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: cyclic allocation of msg_id to avoid reuse (CVE-2024-41050)

In the Linux kernel, the following vulnerability has been resolved:

mm: prevent derefencing NULL ptr in pfn_section_valid() (CVE-2024-41055)

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() (CVE-2024-41057)

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in fscache_withdraw_volume() (CVE-2024-41058)

In the Linux kernel, the following vulnerability has been resolved:

nvme: avoid double free special payload (CVE-2024-41073)

In the Linux kernel, the following vulnerability has been resolved:

null_blk: fix validation of block size (CVE-2024-41077)

kernel: virtio-net: tap: mlx5_core short frame denial of service (CVE-2024-41090)

kernel: virtio-net: tun: mlx5_core short frame denial of service (CVE-2024-41091)

In the Linux kernel, the following vulnerability has been resolved:

cdrom: rearrange last_media_change check to avoid unintentional overflow (CVE-2024-42136)

In the Linux kernel, the following vulnerability has been resolved:

tcp_metrics: validate source addr length (CVE-2024-42154)

Affected Packages:

kernel

Issue Correction:
Run dnf update kernel --releasever 2023.5.20240805 to update your system.

New Packages:

aarch64:
    python3-perf-debuginfo-6.1.102-108.177.amzn2023.aarch64
    kernel-libbpf-devel-6.1.102-108.177.amzn2023.aarch64
    kernel-livepatch-6.1.102-108.177-1.0-0.amzn2023.aarch64
    kernel-libbpf-6.1.102-108.177.amzn2023.aarch64
    kernel-modules-extra-6.1.102-108.177.amzn2023.aarch64
    kernel-libbpf-static-6.1.102-108.177.amzn2023.aarch64
    python3-perf-6.1.102-108.177.amzn2023.aarch64
    bpftool-debuginfo-6.1.102-108.177.amzn2023.aarch64
    bpftool-6.1.102-108.177.amzn2023.aarch64
    kernel-headers-6.1.102-108.177.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.102-108.177.amzn2023.aarch64
    perf-debuginfo-6.1.102-108.177.amzn2023.aarch64
    kernel-tools-6.1.102-108.177.amzn2023.aarch64
    kernel-6.1.102-108.177.amzn2023.aarch64
    kernel-modules-extra-common-6.1.102-108.177.amzn2023.aarch64
    perf-6.1.102-108.177.amzn2023.aarch64
    kernel-tools-devel-6.1.102-108.177.amzn2023.aarch64
    kernel-debuginfo-6.1.102-108.177.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.102-108.177.amzn2023.aarch64
    kernel-devel-6.1.102-108.177.amzn2023.aarch64

src:
    kernel-6.1.102-108.177.amzn2023.src

x86_64:
    perf-6.1.102-108.177.amzn2023.x86_64
    python3-perf-debuginfo-6.1.102-108.177.amzn2023.x86_64
    kernel-libbpf-static-6.1.102-108.177.amzn2023.x86_64
    python3-perf-6.1.102-108.177.amzn2023.x86_64
    bpftool-debuginfo-6.1.102-108.177.amzn2023.x86_64
    perf-debuginfo-6.1.102-108.177.amzn2023.x86_64
    kernel-tools-6.1.102-108.177.amzn2023.x86_64
    kernel-tools-devel-6.1.102-108.177.amzn2023.x86_64
    kernel-headers-6.1.102-108.177.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.102-108.177.amzn2023.x86_64
    kernel-libbpf-devel-6.1.102-108.177.amzn2023.x86_64
    bpftool-6.1.102-108.177.amzn2023.x86_64
    kernel-modules-extra-6.1.102-108.177.amzn2023.x86_64
    kernel-livepatch-6.1.102-108.177-1.0-0.amzn2023.x86_64
    kernel-modules-extra-common-6.1.102-108.177.amzn2023.x86_64
    kernel-libbpf-6.1.102-108.177.amzn2023.x86_64
    kernel-debuginfo-6.1.102-108.177.amzn2023.x86_64
    kernel-6.1.102-108.177.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.102-108.177.amzn2023.x86_64
    kernel-devel-6.1.102-108.177.amzn2023.x86_64

Additional References

Red Hat: CVE-2024-40947, CVE-2024-41019, CVE-2024-41020, CVE-2024-41035, CVE-2024-41041, CVE-2024-41049, CVE-2024-41050, CVE-2024-41055, CVE-2024-41057, CVE-2024-41058, CVE-2024-41073, CVE-2024-41077, CVE-2024-41090, CVE-2024-41091, CVE-2024-42136, CVE-2024-42154

Mitre: CVE-2024-40947, CVE-2024-41019, CVE-2024-41020, CVE-2024-41035, CVE-2024-41041, CVE-2024-41049, CVE-2024-41050, CVE-2024-41055, CVE-2024-41057, CVE-2024-41058, CVE-2024-41073, CVE-2024-41077, CVE-2024-41090, CVE-2024-41091, CVE-2024-42136, CVE-2024-42154