ALAS2023-2025-831

Amazon Linux 2023 Security Advisory: ALAS2023-2025-831
Advisory Released Date: 2025-02-05
Advisory Updated Date: 2025-02-05

Severity: Important

References: CVE-2024-53899
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. (CVE-2024-53899)

Affected Packages:

python-virtualenv

Issue Correction:
Run dnf update python-virtualenv --releasever 2023.6.20250203 or dnf update --advisory ALAS2023-2025-831 --releasever 2023.6.20250203 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    python3-virtualenv-20.4.0-3.amzn2023.0.4.noarch

src:
    python-virtualenv-20.4.0-3.amzn2023.0.4.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-53899

Mitre: CVE-2024-53899