ALAS2-2025-2970

Amazon Linux 2 Security Advisory: ALAS2-2025-2970
Advisory Released Date: 2025-08-19
Advisory Updated Date: 2025-08-19
Severity: Important
Issue Overview:

A cookie management issue was addressed with improved state management. This issue is fixed in watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin. (CVE-2024-54467)

The issue was addressed with improved checks. This issue is fixed in Safari 18.3, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. Processing maliciously crafted web content may lead to memory corruption. (CVE-2025-24189)

This issue was addressed with improved handling of floats. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A type confusion issue could lead to memory corruption. (CVE-2025-24213)

The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption. (CVE-2025-24223)

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to memory corruption. (CVE-2025-31273)

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption. (CVE-2025-31278)

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing web content may lead to a denial-of-service. (CVE-2025-43211)

The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. (CVE-2025-43212)

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.6, watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. (CVE-2025-43216)

This issue was addressed through improved state management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may disclose sensitive user information. (CVE-2025-43227)

The issue was addressed with improved UI. This issue is fixed in iOS 18.6 and iPadOS 18.6, Safari 18. 6. Visiting a malicious website may lead to address bar spoofing. (CVE-2025-43228)

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. A download's origin may be incorrectly associated. (CVE-2025-43240)

An out-of-bounds read was addressed with improved input validation. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may disclose internal states of the app. (CVE-2025-43265)


Affected Packages:

webkitgtk4


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update webkitgtk4 or yum update --advisory ALAS2-2025-2970 to update your system.

New Packages:
aarch64:
    webkitgtk4-2.48.5-1.amzn2.aarch64
    webkitgtk4-devel-2.48.5-1.amzn2.aarch64
    webkitgtk4-jsc-2.48.5-1.amzn2.aarch64
    webkitgtk4-jsc-devel-2.48.5-1.amzn2.aarch64
    webkitgtk4-debuginfo-2.48.5-1.amzn2.aarch64

i686:
    webkitgtk4-2.48.5-1.amzn2.i686
    webkitgtk4-devel-2.48.5-1.amzn2.i686
    webkitgtk4-jsc-2.48.5-1.amzn2.i686
    webkitgtk4-jsc-devel-2.48.5-1.amzn2.i686
    webkitgtk4-debuginfo-2.48.5-1.amzn2.i686

src:
    webkitgtk4-2.48.5-1.amzn2.src

x86_64:
    webkitgtk4-2.48.5-1.amzn2.x86_64
    webkitgtk4-devel-2.48.5-1.amzn2.x86_64
    webkitgtk4-jsc-2.48.5-1.amzn2.x86_64
    webkitgtk4-jsc-devel-2.48.5-1.amzn2.x86_64
    webkitgtk4-debuginfo-2.48.5-1.amzn2.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2024-54467, CVE-2025-24189, CVE-2025-24213, CVE-2025-24223, CVE-2025-31273, CVE-2025-31278, CVE-2025-43211, CVE-2025-43212, CVE-2025-43216, CVE-2025-43227, CVE-2025-43228, CVE-2025-43240, CVE-2025-43265

Mitre: CVE-2024-54467, CVE-2025-24189, CVE-2025-24213, CVE-2025-24223, CVE-2025-31273, CVE-2025-31278, CVE-2025-43211, CVE-2025-43212, CVE-2025-43216, CVE-2025-43227, CVE-2025-43228, CVE-2025-43240, CVE-2025-43265