ALAS2-2025-2878

Amazon Linux 2 Security Advisory: ALAS2-2025-2878
Advisory Released Date: 2025-06-12
Advisory Updated Date: 2025-06-12

Severity: Medium

References: CVE-2025-46802
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

TTY Hijacking while Attaching to a Multiuser Session in the screen package

Has potential to break some reattach use cases, but the specific use case was broken already before.
screen in Debian not installed setuid or setgid
DEBIANBUG: [1105191]

Info: https://www.openwall.com/lists/oss-security/2025/05/12/1
Patch: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a (CVE-2025-46802)

Affected Packages:

screen

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update screen to update your system.

New Packages:

aarch64:
    screen-4.1.0-0.27.20120314git3c2946.amzn2.0.2.aarch64
    screen-debuginfo-4.1.0-0.27.20120314git3c2946.amzn2.0.2.aarch64

i686:
    screen-4.1.0-0.27.20120314git3c2946.amzn2.0.2.i686
    screen-debuginfo-4.1.0-0.27.20120314git3c2946.amzn2.0.2.i686

src:
    screen-4.1.0-0.27.20120314git3c2946.amzn2.0.2.src

x86_64:
    screen-4.1.0-0.27.20120314git3c2946.amzn2.0.2.x86_64
    screen-debuginfo-4.1.0-0.27.20120314git3c2946.amzn2.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-46802

Mitre: CVE-2025-46802