ALAS2023-2023-163

Amazon Linux 2023 Security Advisory: ALAS2023-2023-163
Advisory Released Date: 2023-05-03
Advisory Updated Date: 2023-05-03

Severity: Medium

References: CVE-2023-28484 CVE-2023-29469
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A NULL pointer dereference exists when parsing (invalid) XML schemas in libxml2 xmlSchemaCheckCOSSTDerivedOK (CVE-2023-28484)

libxml2 Hashing of empty dict strings isn't deterministic. When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees. (CVE-2023-29469)

Affected Packages:

libxml2

Issue Correction:
Run dnf update libxml2 --releasever 2023.0.20230503 to update your system.

New Packages:

aarch64:
    libxml2-debugsource-2.10.4-1.amzn2023.0.1.aarch64
    python3-libxml2-debuginfo-2.10.4-1.amzn2023.0.1.aarch64
    libxml2-static-2.10.4-1.amzn2023.0.1.aarch64
    libxml2-debuginfo-2.10.4-1.amzn2023.0.1.aarch64
    python3-libxml2-2.10.4-1.amzn2023.0.1.aarch64
    libxml2-2.10.4-1.amzn2023.0.1.aarch64
    libxml2-devel-2.10.4-1.amzn2023.0.1.aarch64

src:
    libxml2-2.10.4-1.amzn2023.0.1.src

x86_64:
    libxml2-debugsource-2.10.4-1.amzn2023.0.1.x86_64
    python3-libxml2-debuginfo-2.10.4-1.amzn2023.0.1.x86_64
    libxml2-static-2.10.4-1.amzn2023.0.1.x86_64
    libxml2-debuginfo-2.10.4-1.amzn2023.0.1.x86_64
    libxml2-devel-2.10.4-1.amzn2023.0.1.x86_64
    python3-libxml2-2.10.4-1.amzn2023.0.1.x86_64
    libxml2-2.10.4-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2023-28484, CVE-2023-29469

Mitre: CVE-2023-28484, CVE-2023-29469