Amazon Linux 1 Security Advisory: ALAS-2023-1794
Advisory Release Date: 2023-08-03 20:16 Pacific
Advisory Updated Date: 2023-08-08 20:52 Pacific
An issue was discovered in OpenSSH 7.4 on Amazon Linux 2 and Amazon Linux 1. The fix for CVE-2019-6111 only covered cases where an absolute path is passed to scp. When a relative path is used there is no verification that the name of a file received by the client matches the file requested. (CVE-2023-35812)
Affected Packages:
openssh
Issue Correction:
Run yum update openssh to update your system.
i686:
openssh-clients-7.4p1-22.78.amzn1.i686
openssh-debuginfo-7.4p1-22.78.amzn1.i686
openssh-keycat-7.4p1-22.78.amzn1.i686
openssh-ldap-7.4p1-22.78.amzn1.i686
openssh-server-7.4p1-22.78.amzn1.i686
openssh-cavs-7.4p1-22.78.amzn1.i686
pam_ssh_agent_auth-0.10.3-2.22.78.amzn1.i686
openssh-7.4p1-22.78.amzn1.i686
src:
openssh-7.4p1-22.78.amzn1.src
x86_64:
openssh-server-7.4p1-22.78.amzn1.x86_64
openssh-7.4p1-22.78.amzn1.x86_64
pam_ssh_agent_auth-0.10.3-2.22.78.amzn1.x86_64
openssh-ldap-7.4p1-22.78.amzn1.x86_64
openssh-clients-7.4p1-22.78.amzn1.x86_64
openssh-cavs-7.4p1-22.78.amzn1.x86_64
openssh-debuginfo-7.4p1-22.78.amzn1.x86_64
openssh-keycat-7.4p1-22.78.amzn1.x86_64