ALAS-2025-1958

Amazon Linux 1 (EOL) Security Advisory: ALAS-2025-1958
Advisory Released Date: 2025-02-05
Advisory Updated Date: 2025-02-05

Severity: Important

References: CVE-2024-32487
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. (CVE-2024-32487)

Affected Packages:

less

Issue Correction:
Run yum update less to update your system.

New Packages:

i686:
    less-436-13.14.amzn1.i686
    less-debuginfo-436-13.14.amzn1.i686

src:
    less-436-13.14.amzn1.src

x86_64:
    less-debuginfo-436-13.14.amzn1.x86_64
    less-436-13.14.amzn1.x86_64

Additional References

Red Hat: CVE-2024-32487

Mitre: CVE-2024-32487