ALAS-2021-1496

Amazon Linux 1 Security Advisory: ALAS-2021-1496
Advisory Release Date: 2021-05-06 19:11 Pacific
Advisory Updated Date: 2021-05-07 19:54 Pacific

Severity: Medium

References: CVE-2021-28831
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)

Affected Packages:

busybox

Issue Correction:
Run yum update busybox to update your system.

New Packages:

i686:
    busybox-1.19.3-2.12.amzn1.i686
    busybox-petitboot-1.19.3-2.12.amzn1.i686

src:
    busybox-1.19.3-2.12.amzn1.src

x86_64:
    busybox-1.19.3-2.12.amzn1.x86_64
    busybox-petitboot-1.19.3-2.12.amzn1.x86_64

Additional References

Red Hat: CVE-2021-28831

Mitre: CVE-2021-28831