ALAS-2025-1968

Amazon Linux 1 (EOL) Security Advisory: ALAS-2025-1968
Advisory Released Date: 2025-04-17
Advisory Updated Date: 2025-04-17

Severity: Important

References: CVE-2024-55549 CVE-2025-24855
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. (CVE-2024-55549)

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. (CVE-2025-24855)

Affected Packages:

libxslt

Issue Correction:
Run yum update libxslt to update your system.

New Packages:

i686:
    libxslt-python26-1.1.28-6.16.amzn1.i686
    libxslt-python27-1.1.28-6.16.amzn1.i686
    libxslt-devel-1.1.28-6.16.amzn1.i686
    libxslt-debuginfo-1.1.28-6.16.amzn1.i686
    libxslt-1.1.28-6.16.amzn1.i686

src:
    libxslt-1.1.28-6.16.amzn1.src

x86_64:
    libxslt-debuginfo-1.1.28-6.16.amzn1.x86_64
    libxslt-python26-1.1.28-6.16.amzn1.x86_64
    libxslt-python27-1.1.28-6.16.amzn1.x86_64
    libxslt-1.1.28-6.16.amzn1.x86_64
    libxslt-devel-1.1.28-6.16.amzn1.x86_64

Additional References

Red Hat: CVE-2024-55549, CVE-2025-24855

Mitre: CVE-2024-55549, CVE-2025-24855