Amazon Linux 2023 Security Advisory: ALAS2023-2025-1271
Advisory Released Date: 2025-11-10
Advisory Updated Date: 2025-11-10
FAQs regarding Amazon Linux ALAS/CVE Severity
net/url: insufficient validation of bracketed IPv6 hostnames
The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. (CVE-2025-47912)
archive/tar: unbounded allocation when parsing GNU sparse map
tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. (CVE-2025-58183)
encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. (CVE-2025-58185)
net/http: lack of limit when parsing cookies can cause memory exhaustion
Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option. (CVE-2025-58186)
crypto/x509: quadratic complexity when checking name constraints
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scales non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains. (CVE-2025-58187)
crypto/x509: panic when validating certificates with DSA public keys
Validating certificate chains which contain DSA public keys can cause programs
to panic, due to a interface cast that assumes they implement the Equal method.
This affects programs which validate arbitrary certificate chains. (CVE-2025-58188)
encoding/pem: quadratic complexity when parsing some invalid inputs
Due to the design of the PEM parsing function, the processing time for some
inputs scales non-linearly with respect to the size of the input.
This affects programs which parse untrusted PEM inputs. (CVE-2025-61723)
net/textproto: excessive CPU consumption in Reader.ReadResponse
The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a response is large,
this could cause excessive CPU consumption. (CVE-2025-61724)
net/mail: excessive CPU consumption in ParseAddress
The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption. (CVE-2025-61725)
Affected Packages:
amazon-ecr-credential-helper
Issue Correction:
Run dnf update amazon-ecr-credential-helper --releasever 2023.9.20251110 or dnf update --advisory ALAS2023-2025-1271 --releasever 2023.9.20251110 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
amazon-ecr-credential-helper-0.10.1-3.amzn2023.aarch64
src:
amazon-ecr-credential-helper-0.10.1-3.amzn2023.src
x86_64:
amazon-ecr-credential-helper-0.10.1-3.amzn2023.x86_64