ALAS-2024-709

Amazon Linux 2023 Security Advisory: ALAS-2024-709
Advisory Release Date: 2024-08-28 20:03 Pacific
Advisory Updated Date: 2024-12-05 20:34 Pacific

Severity: Medium

References: CVE-2024-41042 CVE-2024-42159 CVE-2024-42258 CVE-2024-42259 CVE-2024-42268 CVE-2024-42302 CVE-2024-43823 CVE-2024-43869 CVE-2024-43870 CVE-2024-43871 CVE-2024-43873 CVE-2024-44934 CVE-2024-44944
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

2024-12-05: CVE-2024-41042 was added to this advisory.

2024-11-13: CVE-2024-42268 was added to this advisory.

2024-11-13: CVE-2024-43823 was added to this advisory.

2024-10-10: CVE-2024-42302 was added to this advisory.

2024-09-12: CVE-2024-44934 was added to this advisory.

2024-09-12: CVE-2024-44944 was added to this advisory.

2024-09-12: CVE-2024-42159 was added to this advisory.

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Sanitise num_phys (CVE-2024-42159)

In the Linux kernel, the following vulnerability has been resolved:

mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines (CVE-2024-42258)

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: Fix Virtual Memory mapping boundaries calculation (CVE-2024-42259)

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix missing lock on sync reset reload (CVE-2024-42268)

In the Linux kernel, the following vulnerability has been resolved:

PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal (CVE-2024-42302)

In the Linux kernel, the following vulnerability has been resolved:

PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() (CVE-2024-43823)

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix event leak upon exec and file release (CVE-2024-43869)

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix event leak upon exit (CVE-2024-43870)

In the Linux kernel, the following vulnerability has been resolved:

devres: Fix memory leakage caused by driver API devm_free_percpu() (CVE-2024-43871)

In the Linux kernel, the following vulnerability has been resolved:

vhost/vsock: always initialize seqpacket_allow (CVE-2024-43873)

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: mcast: wait for previous gc cycles when removing port (CVE-2024-44934)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: use helper function to calculate expect ID (CVE-2024-44944)

Affected Packages:

kernel

Issue Correction:
Run dnf update kernel --releasever 2023.5.20240903 to update your system.

New Packages:

aarch64:
    perf-debuginfo-6.1.106-116.188.amzn2023.aarch64
    kernel-tools-devel-6.1.106-116.188.amzn2023.aarch64
    python3-perf-debuginfo-6.1.106-116.188.amzn2023.aarch64
    bpftool-debuginfo-6.1.106-116.188.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.106-116.188.amzn2023.aarch64
    kernel-libbpf-devel-6.1.106-116.188.amzn2023.aarch64
    python3-perf-6.1.106-116.188.amzn2023.aarch64
    kernel-libbpf-static-6.1.106-116.188.amzn2023.aarch64
    kernel-modules-extra-common-6.1.106-116.188.amzn2023.aarch64
    kernel-livepatch-6.1.106-116.188-1.0-0.amzn2023.aarch64
    bpftool-6.1.106-116.188.amzn2023.aarch64
    kernel-tools-6.1.106-116.188.amzn2023.aarch64
    perf-6.1.106-116.188.amzn2023.aarch64
    kernel-modules-extra-6.1.106-116.188.amzn2023.aarch64
    kernel-libbpf-6.1.106-116.188.amzn2023.aarch64
    kernel-debuginfo-6.1.106-116.188.amzn2023.aarch64
    kernel-headers-6.1.106-116.188.amzn2023.aarch64
    kernel-6.1.106-116.188.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.106-116.188.amzn2023.aarch64
    kernel-devel-6.1.106-116.188.amzn2023.aarch64

src:
    kernel-6.1.106-116.188.amzn2023.src

x86_64:
    kernel-tools-devel-6.1.106-116.188.amzn2023.x86_64
    python3-perf-debuginfo-6.1.106-116.188.amzn2023.x86_64
    kernel-modules-extra-common-6.1.106-116.188.amzn2023.x86_64
    kernel-libbpf-6.1.106-116.188.amzn2023.x86_64
    kernel-libbpf-devel-6.1.106-116.188.amzn2023.x86_64
    kernel-libbpf-static-6.1.106-116.188.amzn2023.x86_64
    bpftool-debuginfo-6.1.106-116.188.amzn2023.x86_64
    kernel-headers-6.1.106-116.188.amzn2023.x86_64
    perf-6.1.106-116.188.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.106-116.188.amzn2023.x86_64
    perf-debuginfo-6.1.106-116.188.amzn2023.x86_64
    python3-perf-6.1.106-116.188.amzn2023.x86_64
    kernel-modules-extra-6.1.106-116.188.amzn2023.x86_64
    kernel-livepatch-6.1.106-116.188-1.0-0.amzn2023.x86_64
    kernel-tools-6.1.106-116.188.amzn2023.x86_64
    bpftool-6.1.106-116.188.amzn2023.x86_64
    kernel-debuginfo-6.1.106-116.188.amzn2023.x86_64
    kernel-6.1.106-116.188.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.106-116.188.amzn2023.x86_64
    kernel-devel-6.1.106-116.188.amzn2023.x86_64

Additional References

Red Hat: CVE-2024-41042, CVE-2024-42159, CVE-2024-42258, CVE-2024-42259, CVE-2024-42268, CVE-2024-42302, CVE-2024-43823, CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873, CVE-2024-44934, CVE-2024-44944

Mitre: CVE-2024-41042, CVE-2024-42159, CVE-2024-42258, CVE-2024-42259, CVE-2024-42268, CVE-2024-42302, CVE-2024-43823, CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873, CVE-2024-44934, CVE-2024-44944