medium severity
Do your applications use this vulnerable package?
Test your applications
Overview
Affected versions of this package are vulnerable to ALAS2-2020-1517. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters
Remediation
Upgrade libcrypt to version or higher.
References
- CVE
- ALAS2-2020-1517
- Snyk ID
- SNYK-AMZN2-LIBCRYPT-1022446
- Published
- 28 Oct, 2020