- 新しい順
- 投票が多い順
- コメントが多い順
When you have executed yum update --security
and there are no updates that are returned, all the available security updates have been installed.
Working with the example you've provided: libssh2
Reviewing Amazon Alas, we can see there was a vulnerability found on 2023-08-22 within the libssh2 package (CVE-2020-22218), this vulnerability was in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory [1].
Even though the package may be listed as 2016, the Amazon Linux team has already patched [2] the package to prevent this vulnerability to be exploited.
Q. Does AWS backport security fixes for Amazon Linux 2? "Yes. Amazon routinely takes fixes out of the most recent version of upstream software packages and applies it to the version of the package in Amazon Linux 2. During this process, Amazon isolates the fix from any other changes, ensures that the fixes do not introduce unwanted side effects, and then applies the fixes."
Please see the following FAQ: https://aws.amazon.com/amazon-linux-2/faqs/
Regarding Centos, RHEL and Fedora Operating Systems, these repositories are not managed by Amazon and therefore cannot comment on their security updates.
With reference to this, https://alas.aws.amazon.com/AL2/ALAS-2023-2257.html is CVE-2020-22218 fixed in package version libssh2-1.4.3-12.amzn2.2.6.x86_64 ?
Also as a continuation to the above are any CVEs listed in this link https://alas.aws.amazon.com/alas2.html considered to be fixed within the current amzn2-core.repo? Asking this as I cannot find any status whether it has been fixed or not