ALAS2-2025-2984

Amazon Linux 2 Security Advisory: ALAS2-2025-2984
Advisory Released Date: 2025-09-04
Advisory Updated Date: 2025-09-04

Severity: Important

References: CVE-2025-47906 CVE-2025-47907 CVE-2025-7545 CVE-2025-7546
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

os/exec: LookPath may return unexpected paths. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. (CVE-2025-47906)

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. (CVE-2025-47907)

A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue. (CVE-2025-7545)

A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue. (CVE-2025-7546)

Affected Packages:

golang

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update golang or yum update --advisory ALAS2-2025-2984 to update your system.

New Packages:

aarch64:
    golang-1.24.6-1.amzn2.0.1.aarch64
    golang-bin-1.24.6-1.amzn2.0.1.aarch64
    golang-shared-1.24.6-1.amzn2.0.1.aarch64

noarch:
    golang-docs-1.24.6-1.amzn2.0.1.noarch
    golang-misc-1.24.6-1.amzn2.0.1.noarch
    golang-tests-1.24.6-1.amzn2.0.1.noarch
    golang-src-1.24.6-1.amzn2.0.1.noarch

src:
    golang-1.24.6-1.amzn2.0.1.src

x86_64:
    golang-1.24.6-1.amzn2.0.1.x86_64
    golang-bin-1.24.6-1.amzn2.0.1.x86_64
    golang-shared-1.24.6-1.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-47906, CVE-2025-47907, CVE-2025-7545, CVE-2025-7546

Mitre: CVE-2025-47906, CVE-2025-47907, CVE-2025-7545, CVE-2025-7546