Issue Overview:
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. (CVE-2021-43565)
http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template. (CVE-2023-24538)
Affected Packages:
amazon-ssm-agent
Issue Correction:
Run yum update amazon-ssm-agent to update your system.
New Packages:
aarch64:
amazon-ssm-agent-3.2.1705.0-1.amzn2.aarch64
amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.aarch64
src:
amazon-ssm-agent-3.2.1705.0-1.amzn2.src
x86_64:
amazon-ssm-agent-3.2.1705.0-1.amzn2.x86_64
amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.x86_64
Red Hat: CVE-2021-43565, CVE-2022-41723, CVE-2023-24538
Mitre: CVE-2021-43565, CVE-2022-41723, CVE-2023-24538
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | amazon-ssm-agent | < 3.2.1705.0-1.amzn2 | amazon-ssm-agent-3.2.1705.0-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | amazon-ssm-agent-debuginfo | < 3.2.1705.0-1.amzn2 | amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | src | amazon-ssm-agent | < 3.2.1705.0-1.amzn2 | amazon-ssm-agent-3.2.1705.0-1.amzn2.src.rpm |
Amazon Linux | 2 | x86_64 | amazon-ssm-agent | < 3.2.1705.0-1.amzn2 | amazon-ssm-agent-3.2.1705.0-1.amzn2.x86_64.rpm |
Amazon Linux | 2 | x86_64 | amazon-ssm-agent-debuginfo | < 3.2.1705.0-1.amzn2 | amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn2.x86_64.rpm |