ALAS2-2025-2957

Amazon Linux 2 Security Advisory: ALAS2-2025-2957
Advisory Released Date: 2025-08-04
Advisory Updated Date: 2025-08-04

Severity: Medium

References: CVE-2025-24294
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.

This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. (CVE-2025-24294)

Affected Packages:

ruby

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ruby or yum update --advisory ALAS2-2025-2957 to update your system.

New Packages:

aarch64:
    ruby-2.0.0.648-36.amzn2.0.16.aarch64
    ruby-devel-2.0.0.648-36.amzn2.0.16.aarch64
    ruby-libs-2.0.0.648-36.amzn2.0.16.aarch64
    rubygem-bigdecimal-1.2.0-36.amzn2.0.16.aarch64
    rubygem-io-console-0.4.2-36.amzn2.0.16.aarch64
    rubygem-json-1.7.7-36.amzn2.0.16.aarch64
    rubygem-psych-2.0.0-36.amzn2.0.16.aarch64
    ruby-tcltk-2.0.0.648-36.amzn2.0.16.aarch64
    ruby-debuginfo-2.0.0.648-36.amzn2.0.16.aarch64

i686:
    ruby-2.0.0.648-36.amzn2.0.16.i686
    ruby-devel-2.0.0.648-36.amzn2.0.16.i686
    ruby-libs-2.0.0.648-36.amzn2.0.16.i686
    rubygem-bigdecimal-1.2.0-36.amzn2.0.16.i686
    rubygem-io-console-0.4.2-36.amzn2.0.16.i686
    rubygem-json-1.7.7-36.amzn2.0.16.i686
    rubygem-psych-2.0.0-36.amzn2.0.16.i686
    ruby-tcltk-2.0.0.648-36.amzn2.0.16.i686
    ruby-debuginfo-2.0.0.648-36.amzn2.0.16.i686

noarch:
    rubygems-2.0.14.1-36.amzn2.0.16.noarch
    rubygems-devel-2.0.14.1-36.amzn2.0.16.noarch
    rubygem-rake-0.9.6-36.amzn2.0.16.noarch
    ruby-irb-2.0.0.648-36.amzn2.0.16.noarch
    rubygem-rdoc-4.0.0-36.amzn2.0.16.noarch
    ruby-doc-2.0.0.648-36.amzn2.0.16.noarch
    rubygem-minitest-4.3.2-36.amzn2.0.16.noarch

src:
    ruby-2.0.0.648-36.amzn2.0.16.src

x86_64:
    ruby-2.0.0.648-36.amzn2.0.16.x86_64
    ruby-devel-2.0.0.648-36.amzn2.0.16.x86_64
    ruby-libs-2.0.0.648-36.amzn2.0.16.x86_64
    rubygem-bigdecimal-1.2.0-36.amzn2.0.16.x86_64
    rubygem-io-console-0.4.2-36.amzn2.0.16.x86_64
    rubygem-json-1.7.7-36.amzn2.0.16.x86_64
    rubygem-psych-2.0.0-36.amzn2.0.16.x86_64
    ruby-tcltk-2.0.0.648-36.amzn2.0.16.x86_64
    ruby-debuginfo-2.0.0.648-36.amzn2.0.16.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-24294

Mitre: CVE-2025-24294