ALAS-2024-789

Amazon Linux 2023 Security Advisory: ALAS-2024-789
Advisory Release Date: 2024-12-05 20:34 Pacific
Advisory Updated Date: 2024-12-16 13:30 Pacific
Severity: Medium
Issue Overview:

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.

This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)

Users are recommended to upgrade to APR version 1.7.5, which fixes this issue. (CVE-2023-49582)


Affected Packages:

apr


Issue Correction:
Run dnf update apr --releasever 2023.6.20241212 to update your system.

New Packages:
aarch64:
    apr-debugsource-1.7.5-1.amzn2023.0.2.aarch64
    apr-debuginfo-1.7.5-1.amzn2023.0.2.aarch64
    apr-1.7.5-1.amzn2023.0.2.aarch64
    apr-devel-1.7.5-1.amzn2023.0.2.aarch64

src:
    apr-1.7.5-1.amzn2023.0.2.src

x86_64:
    apr-debuginfo-1.7.5-1.amzn2023.0.2.x86_64
    apr-debugsource-1.7.5-1.amzn2023.0.2.x86_64
    apr-1.7.5-1.amzn2023.0.2.x86_64
    apr-devel-1.7.5-1.amzn2023.0.2.x86_64

Additional References

Red Hat: CVE-2023-49582

Mitre: CVE-2023-49582