Amazon Linux 2023 Security Advisory: ALAS-2024-759
Advisory Release Date: 2024-11-13 12:28 Pacific
Advisory Updated Date: 2024-11-14 11:00 Pacific
Severity:
Important
Issue Overview:
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
Considering the tradeoff between the stability of Amazon Linux and the impact of CVE-2023-52425 a fix will not be provided for firefox and thunderbird in Amazon Linux 2 at this time. (CVE-2023-52425)
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. (CVE-2024-45490)
Affected Packages:
expat
Issue Correction:
Run dnf update expat --releasever 2023.6.20241111 to update your system.
New Packages:
aarch64:
expat-static-2.6.3-1.amzn2023.0.1.aarch64
expat-debuginfo-2.6.3-1.amzn2023.0.1.aarch64
expat-2.6.3-1.amzn2023.0.1.aarch64
expat-devel-2.6.3-1.amzn2023.0.1.aarch64
expat-debugsource-2.6.3-1.amzn2023.0.1.aarch64
src:
expat-2.6.3-1.amzn2023.0.1.src
x86_64:
expat-static-2.6.3-1.amzn2023.0.1.x86_64
expat-devel-2.6.3-1.amzn2023.0.1.x86_64
expat-2.6.3-1.amzn2023.0.1.x86_64
expat-debugsource-2.6.3-1.amzn2023.0.1.x86_64
expat-debuginfo-2.6.3-1.amzn2023.0.1.x86_64