[ALAS2-2022-1877] Amazon Linux 2 2017.12 - ALAS2-2022-1877: important priority package update for expat

Severity Important

Affected Packages 12

CVEs 1

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2022-40674:
A vulnerability was found in expat. With this flaw, it is possible to create a situation in which parsing is suspended while substituting in an internal entity so that XML_ResumeParser directly uses the internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawNames to ensure that the raw versions of the tag names are stored in memory other than the parse buffer itself. Issues occur if the parse buffer is changed or reallocated (for example, if processing a file line by line), problems occur. Using this vulnerability in the doContent function allows an attacker to triage a denial of service or potentially arbitrary code execution.

Package	Affected Version
pkg:rpm/amazonlinux/expat?arch=x86_64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat?arch=i686&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat?arch=aarch64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-static?arch=x86_64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-static?arch=i686&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-static?arch=aarch64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-devel?arch=x86_64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-devel?arch=i686&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-devel?arch=aarch64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-debuginfo?arch=x86_64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-debuginfo?arch=i686&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1
pkg:rpm/amazonlinux/expat-debuginfo?arch=aarch64&distro=amazonlinux-2	< 2.1.0-15.amzn2.0.1

ID

ALAS2-2022-1877

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2022-1877.html

Published

2022-10-31T19:40:00
(22 months ago)

Modified

2022-11-08T22:19:00
(22 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	Name	URL
CVE	CVE-2022-40674		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/expat?arch=x86_64&distro=amazonlinux-2	amazonlinux	expat	< 2.1.0-15.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/expat?arch=i686&distro=amazonlinux-2	amazonlinux	expat	< 2.1.0-15.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/expat?arch=aarch64&distro=amazonlinux-2	amazonlinux	expat	< 2.1.0-15.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/expat-static?arch=x86_64&distro=amazonlinux-2	amazonlinux	expat-static	< 2.1.0-15.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/expat-static?arch=i686&distro=amazonlinux-2	amazonlinux	expat-static	< 2.1.0-15.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/expat-static?arch=aarch64&distro=amazonlinux-2	amazonlinux	expat-static	< 2.1.0-15.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/expat-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	expat-devel	< 2.1.0-15.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/expat-devel?arch=i686&distro=amazonlinux-2	amazonlinux	expat-devel	< 2.1.0-15.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/expat-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	expat-devel	< 2.1.0-15.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/expat-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	expat-debuginfo	< 2.1.0-15.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/expat-debuginfo?arch=i686&distro=amazonlinux-2	amazonlinux	expat-debuginfo	< 2.1.0-15.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/expat-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	expat-debuginfo	< 2.1.0-15.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date