ALAS2-2025-2989

Amazon Linux 2 Security Advisory: ALAS2-2025-2989
Advisory Released Date: 2025-09-04
Advisory Updated Date: 2025-09-04

Severity: Medium

References: CVE-2025-50422
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

An issue was discovered in freedesktop poppler v25.04.0. The heap memory containing PDF stream objects is not cleared upon program exit, allowing attackers to obtain sensitive PDF content via a memory dump. (CVE-2025-50422)

Affected Packages:

cairo

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update cairo or yum update --advisory ALAS2-2025-2989 to update your system.

New Packages:

aarch64:
    cairo-1.15.12-4.amzn2.0.1.aarch64
    cairo-devel-1.15.12-4.amzn2.0.1.aarch64
    cairo-gobject-1.15.12-4.amzn2.0.1.aarch64
    cairo-gobject-devel-1.15.12-4.amzn2.0.1.aarch64
    cairo-tools-1.15.12-4.amzn2.0.1.aarch64
    cairo-debuginfo-1.15.12-4.amzn2.0.1.aarch64

i686:
    cairo-1.15.12-4.amzn2.0.1.i686
    cairo-devel-1.15.12-4.amzn2.0.1.i686
    cairo-gobject-1.15.12-4.amzn2.0.1.i686
    cairo-gobject-devel-1.15.12-4.amzn2.0.1.i686
    cairo-tools-1.15.12-4.amzn2.0.1.i686
    cairo-debuginfo-1.15.12-4.amzn2.0.1.i686

src:
    cairo-1.15.12-4.amzn2.0.1.src

x86_64:
    cairo-1.15.12-4.amzn2.0.1.x86_64
    cairo-devel-1.15.12-4.amzn2.0.1.x86_64
    cairo-gobject-1.15.12-4.amzn2.0.1.x86_64
    cairo-gobject-devel-1.15.12-4.amzn2.0.1.x86_64
    cairo-tools-1.15.12-4.amzn2.0.1.x86_64
    cairo-debuginfo-1.15.12-4.amzn2.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-50422

Mitre: CVE-2025-50422