ALAS2023-2025-1155

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1155
Advisory Released Date: 2025-09-08
Advisory Updated Date: 2025-09-08

Severity: Medium

References: CVE-2025-4878 CVE-2025-5318 CVE-2025-5351 CVE-2025-5987
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

The privatekey_from_file() uses an uninitialized variable under certain
conditions, such as if the file specified by the filename argument doesn't
exist. This causes the code to return an invalid private key.

This defect, in turn, might cause signing failure. The bug might also cause a
Use-After-Free or corrupt the heap.

Note that privatekey_from_file() is a deprecated function and shouldn't be used
anymore! (CVE-2025-4878)

An incorrect comparison check allows to read beyond bounds in the sftp_handle() in the sftp server implementation. Thus an invalid pointer is returned as the handle and we try to continue using that. (CVE-2025-5318)

pki_key_to_blob() can cause a double free on certain errors when using OpenSSL
>= 3.0. The function is used by different other functions which allow to
export public or private keys to blobs or base64.

The function is using the variable params without resetting it to NULL after
free. In case of low-memory conditions when the allocation of string fails,
the libssh calls the OSSL_PARAM_free() with the same arguments, which will
likely crash. (CVE-2025-5351)

If there is an error in initializing ChaCha20 cipher with OpenSSL, an invalid
error code is returned. This can happen if there is an heap exhaustion. This
error is not correctly detected and could allow libssh to use partially
initialized cipher context.

This is caused by the mismatch of return value meaning from OpenSSL and libssh,
where OpenSSL error (rv=0) aliases with SSH_OK (0) and is returned directly
from the function chacha20_poly1305_set_key(). This will likely cause error
somewhere down the road. (CVE-2025-5987)

Affected Packages:

libssh

Issue Correction:
Run dnf update libssh --releasever 2023.8.20250908 or dnf update --advisory ALAS2023-2025-1155 --releasever 2023.8.20250908 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    libssh-debugsource-0.10.6-1.amzn2023.0.2.aarch64
    libssh-debuginfo-0.10.6-1.amzn2023.0.2.aarch64
    libssh-0.10.6-1.amzn2023.0.2.aarch64
    libssh-devel-0.10.6-1.amzn2023.0.2.aarch64

noarch:
    libssh-config-0.10.6-1.amzn2023.0.2.noarch

src:
    libssh-0.10.6-1.amzn2023.0.2.src

x86_64:
    libssh-debugsource-0.10.6-1.amzn2023.0.2.x86_64
    libssh-debuginfo-0.10.6-1.amzn2023.0.2.x86_64
    libssh-0.10.6-1.amzn2023.0.2.x86_64
    libssh-devel-0.10.6-1.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-4878, CVE-2025-5318, CVE-2025-5351, CVE-2025-5987

Mitre: CVE-2025-4878, CVE-2025-5318, CVE-2025-5351, CVE-2025-5987