Amazon Linux 2023 Security Advisory: ALAS2023-2026-1807
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08
FAQs regarding Amazon Linux ALAS/CVE Severity
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3. (CVE-2026-27820)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. (CVE-2026-42245)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. (CVE-2026-42246)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. (CVE-2026-42256)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. (CVE-2026-42257)
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. (CVE-2026-42258)
Affected Packages:
ruby3.4
Issue Correction:
Run dnf update ruby3.4 --releasever 2023.12.20260608 or dnf update --advisory ALAS2023-2026-1807 --releasever 2023.12.20260608 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
ruby3.4-rubygem-json-debuginfo-2.9.1-27.amzn2023.0.6.aarch64
ruby3.4-devel-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-psych-debuginfo-5.2.2-27.amzn2023.0.6.aarch64
ruby3.4-libs-debuginfo-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-debuginfo-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-racc-debuginfo-1.8.1-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-bigdecimal-debuginfo-3.1.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-psych-5.2.2-27.amzn2023.0.6.aarch64
ruby3.4-bundled-gems-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-bigdecimal-3.1.8-27.amzn2023.0.6.aarch64
ruby3.4-debugsource-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-io-console-debuginfo-0.8.1-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-rbs-debuginfo-3.8.0-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-racc-1.8.1-27.amzn2023.0.6.aarch64
ruby3.4-libs-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-io-console-0.8.1-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-json-2.9.1-27.amzn2023.0.6.aarch64
ruby3.4-bundled-gems-debuginfo-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-3.4.8-27.amzn2023.0.6.aarch64
ruby3.4-rubygem-rbs-3.8.0-27.amzn2023.0.6.aarch64
noarch:
ruby3.4-rubygem-rdoc-6.14.0-27.amzn2023.0.6.noarch
ruby3.4-rubygem-bundler-2.6.9-27.amzn2023.0.6.noarch
ruby3.4-rubygems-devel-3.6.9-27.amzn2023.0.6.noarch
ruby3.4-rubygem-rexml-3.4.4-27.amzn2023.0.6.noarch
ruby3.4-rubygem-rss-0.3.1-27.amzn2023.0.6.noarch
ruby3.4-default-gems-3.4.8-27.amzn2023.0.6.noarch
ruby3.4-rubygems-3.6.9-27.amzn2023.0.6.noarch
ruby3.4-rubygem-minitest-5.25.4-27.amzn2023.0.6.noarch
ruby3.4-rubygem-test-unit-3.6.7-27.amzn2023.0.6.noarch
ruby3.4-rubygem-power_assert-2.0.5-27.amzn2023.0.6.noarch
ruby3.4-rubygem-irb-1.14.3-27.amzn2023.0.6.noarch
ruby3.4-rubygem-rake-13.2.1-27.amzn2023.0.6.noarch
ruby3.4-rubygem-typeprof-0.30.1-27.amzn2023.0.6.noarch
ruby3.4-doc-3.4.8-27.amzn2023.0.6.noarch
src:
ruby3.4-3.4.8-27.amzn2023.0.6.src
x86_64:
ruby3.4-bundled-gems-debuginfo-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-bigdecimal-debuginfo-3.1.8-27.amzn2023.0.6.x86_64
ruby3.4-libs-debuginfo-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-bigdecimal-3.1.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-psych-debuginfo-5.2.2-27.amzn2023.0.6.x86_64
ruby3.4-devel-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-rbs-3.8.0-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-psych-5.2.2-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-io-console-0.8.1-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-json-2.9.1-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-json-debuginfo-2.9.1-27.amzn2023.0.6.x86_64
ruby3.4-bundled-gems-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-rbs-debuginfo-3.8.0-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-racc-debuginfo-1.8.1-27.amzn2023.0.6.x86_64
ruby3.4-debugsource-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-racc-1.8.1-27.amzn2023.0.6.x86_64
ruby3.4-debuginfo-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-3.4.8-27.amzn2023.0.6.x86_64
ruby3.4-rubygem-io-console-debuginfo-0.8.1-27.amzn2023.0.6.x86_64
ruby3.4-libs-3.4.8-27.amzn2023.0.6.x86_64