Amazon Linux 2023 Security Advisory: ALAS2023-2025-1157
Advisory Released Date: 2025-09-08
Advisory Updated Date: 2025-09-08
Severity:
Medium
Issue Overview:
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response's Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. (CVE-2025-54571)
Affected Packages:
mod_security
Issue Correction:
Run dnf update mod_security --releasever 2023.8.20250908 or dnf update --advisory ALAS2023-2025-1157 --releasever 2023.8.20250908 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
mod_security-debugsource-2.9.12-1.amzn2023.0.1.aarch64
mod_security-debuginfo-2.9.12-1.amzn2023.0.1.aarch64
mod_security-mlogc-debuginfo-2.9.12-1.amzn2023.0.1.aarch64
mod_security-mlogc-2.9.12-1.amzn2023.0.1.aarch64
mod_security-2.9.12-1.amzn2023.0.1.aarch64
src:
mod_security-2.9.12-1.amzn2023.0.1.src
x86_64:
mod_security-debugsource-2.9.12-1.amzn2023.0.1.x86_64
mod_security-mlogc-debuginfo-2.9.12-1.amzn2023.0.1.x86_64
mod_security-debuginfo-2.9.12-1.amzn2023.0.1.x86_64
mod_security-mlogc-2.9.12-1.amzn2023.0.1.x86_64
mod_security-2.9.12-1.amzn2023.0.1.x86_64