ALAS-2017-916

Amazon Linux 1 (EOL) Security Advisory: ALAS-2017-916
Advisory Released Date: 2017-10-26
Advisory Updated Date: 2017-10-26

Severity: Important

References: CVE-2017-13089 CVE-2017-13090
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Heap-based buffer overflow in HTTP protocol handling
A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13090)

Stack-based buffer overflow in HTTP protocol handling
A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. (CVE-2017-13089)

Affected Packages:

wget

Issue Correction:
Run yum update wget to update your system.

New Packages:

i686:
    wget-debuginfo-1.18-3.28.amzn1.i686
    wget-1.18-3.28.amzn1.i686

src:
    wget-1.18-3.28.amzn1.src

x86_64:
    wget-1.18-3.28.amzn1.x86_64
    wget-debuginfo-1.18-3.28.amzn1.x86_64

Additional References

Red Hat: CVE-2017-13089, CVE-2017-13090

Mitre: CVE-2017-13089, CVE-2017-13090