ALAS2-2022-1830

Amazon Linux 2 Security Advisory: ALAS2-2022-1830
Advisory Released Date: 2022-08-08
Advisory Updated Date: 2025-09-23

Severity: Important

References: CVE-2020-29652 CVE-2022-24675 CVE-2022-28327
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A null pointer dereference vulnerability was found in golang. When using the library's ssh server without specifying an option for GSSAPIWithMICConfig, it is possible for an attacker to craft an ssh client connection using the authentication method and cause the server to panic resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-29652)

A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB) ), causing a stack overflow in Decode, which leads to a loss of availability. (CVE-2022-24675)

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability. (CVE-2022-28327)

Affected Packages:

golang

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update golang or yum update --advisory ALAS2-2022-1830 to update your system.

New Packages:

aarch64:
    golang-1.18.3-1.amzn2.aarch64
    golang-bin-1.18.3-1.amzn2.aarch64
    golang-shared-1.18.3-1.amzn2.aarch64

noarch:
    golang-docs-1.18.3-1.amzn2.noarch
    golang-misc-1.18.3-1.amzn2.noarch
    golang-tests-1.18.3-1.amzn2.noarch
    golang-src-1.18.3-1.amzn2.noarch

src:
    golang-1.18.3-1.amzn2.src

x86_64:
    golang-1.18.3-1.amzn2.x86_64
    golang-bin-1.18.3-1.amzn2.x86_64
    golang-shared-1.18.3-1.amzn2.x86_64
    golang-race-1.18.3-1.amzn2.x86_64

Changelog:

2025-09-23: CVE-2022-24921 was removed from this advisory.

2025-09-23: CVE-2022-23806 was removed from this advisory.

2025-09-23: CVE-2022-23773 was removed from this advisory.

2025-09-23: CVE-2022-23772 was removed from this advisory.

2025-09-23: CVE-2021-39293 was removed from this advisory.

2025-09-23: CVE-2021-27918 was removed from this advisory.

2025-09-23: CVE-2021-27919 was removed from this advisory.

2025-09-23: CVE-2021-33195 was removed from this advisory.

2025-09-23: CVE-2021-33197 was removed from this advisory.

2025-09-23: CVE-2021-33198 was removed from this advisory.

2025-09-23: CVE-2021-36221 was removed from this advisory.

2025-09-23: CVE-2021-38297 was removed from this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2020-29652, CVE-2022-24675, CVE-2022-28327

Mitre: CVE-2020-29652, CVE-2022-24675, CVE-2022-28327