ALAS-2023-1780

Amazon Linux 1 (EOL) Security Advisory: ALAS-2023-1780
Advisory Released Date: 2023-07-19
Advisory Updated Date: 2023-07-19

Severity: Medium

References: CVE-2022-4904
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

Affected Packages:

c-ares

Issue Correction:
Run yum update c-ares to update your system.

New Packages:

i686:
    c-ares-debuginfo-1.17.2-1.10.amzn1.i686
    c-ares-1.17.2-1.10.amzn1.i686
    c-ares-devel-1.17.2-1.10.amzn1.i686

src:
    c-ares-1.17.2-1.10.amzn1.src

x86_64:
    c-ares-1.17.2-1.10.amzn1.x86_64
    c-ares-debuginfo-1.17.2-1.10.amzn1.x86_64
    c-ares-devel-1.17.2-1.10.amzn1.x86_64

Additional References

Red Hat: CVE-2022-4904

Mitre: CVE-2022-4904