Amazon Linux 2023 Security Advisory: ALAS2023-2025-977
Advisory Released Date: 2025-06-02
Advisory Updated Date: 2025-06-02
Severity:
Medium
Issue Overview:
A directory traversal vulnerability was discovered in the Go programming language's os package in versions prior to 1.24.3. The vulnerability allows improper access to the parent directory of an os.Root by opening a filename ending in "../". When exploited, this vulnerability permits an attacker to open the parent directory of the Root, though it does not allow access to ancestors of the parent or files contained within the parent directory. This issue has been fixed in Go 1.24.3, where Root now correctly returns an error when such access is attempted. (CVE-2025-22873)
Affected Packages:
golang
Issue Correction:
Run dnf update golang --releasever 2023.7.20250527 to update your system.
New Packages:
aarch64:
golang-1.24.3-1.amzn2023.0.1.aarch64
golang-bin-1.24.3-1.amzn2023.0.1.aarch64
golang-shared-1.24.3-1.amzn2023.0.1.aarch64
noarch:
golang-docs-1.24.3-1.amzn2023.0.1.noarch
golang-misc-1.24.3-1.amzn2023.0.1.noarch
golang-src-1.24.3-1.amzn2023.0.1.noarch
golang-tests-1.24.3-1.amzn2023.0.1.noarch
src:
golang-1.24.3-1.amzn2023.0.1.src
x86_64:
golang-1.24.3-1.amzn2023.0.1.x86_64
golang-bin-1.24.3-1.amzn2023.0.1.x86_64
golang-shared-1.24.3-1.amzn2023.0.1.x86_64