ALAS2023-2025-890

Amazon Linux 2023 Security Advisory: ALAS2023-2025-890
Advisory Released Date: 2025-03-06
Advisory Updated Date: 2025-03-06

Severity: Important

References: CVE-2021-46828
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections. (CVE-2021-46828)

Affected Packages:

libtirpc

Issue Correction:
Run dnf update libtirpc --releasever 2023.6.20250303 to update your system.

New Packages:

aarch64:
    libtirpc-debuginfo-1.3.3-0.amzn2023.aarch64
    libtirpc-debugsource-1.3.3-0.amzn2023.aarch64
    libtirpc-1.3.3-0.amzn2023.aarch64
    libtirpc-devel-1.3.3-0.amzn2023.aarch64

src:
    libtirpc-1.3.3-0.amzn2023.src

x86_64:
    libtirpc-debuginfo-1.3.3-0.amzn2023.x86_64
    libtirpc-debugsource-1.3.3-0.amzn2023.x86_64
    libtirpc-1.3.3-0.amzn2023.x86_64
    libtirpc-devel-1.3.3-0.amzn2023.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2021-46828

Mitre: CVE-2021-46828