ALAS2023-2025-1229

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1229
Advisory Released Date: 2025-10-27
Advisory Updated Date: 2025-10-27

Severity: Important

References: CVE-2023-52425 CVE-2023-52426 CVE-2024-28757 CVE-2024-8176 CVE-2025-59375
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Considering the tradeoff between the stability of Amazon Linux and the impact of CVE-2023-52425 a fix will not be provided for firefox and thunderbird in Amazon Linux 2 at this time. (CVE-2023-52425)

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Considering the tradeoff between the stability of Amazon Linux and the impact of CVE-2023-52426 a fix will not be provided for firefox and thunderbird in Amazon Linux 2 at this time. (CVE-2023-52426)

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). (CVE-2024-28757)

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. (CVE-2024-8176)

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. (CVE-2025-59375)

Affected Packages:

xmlrpc-c

Issue Correction:
Run dnf update xmlrpc-c --releasever 2023.9.20251027 or dnf update --advisory ALAS2023-2025-1229 --releasever 2023.9.20251027 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    xmlrpc-c-client-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-debuginfo-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-debugsource-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-client-debuginfo-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-c++-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-apps-debuginfo-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-c++-debuginfo-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-client++-debuginfo-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-client++-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-apps-1.51.08-2.amzn2023.0.2.aarch64
    xmlrpc-c-devel-1.51.08-2.amzn2023.0.2.aarch64

src:
    xmlrpc-c-1.51.08-2.amzn2023.0.2.src

x86_64:
    xmlrpc-c-c++-debuginfo-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-apps-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-client++-debuginfo-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-debuginfo-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-client-debuginfo-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-client-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-devel-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-c++-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-debugsource-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-apps-debuginfo-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-client++-1.51.08-2.amzn2023.0.2.x86_64
    xmlrpc-c-1.51.08-2.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2023-52425, CVE-2023-52426, CVE-2024-28757, CVE-2024-8176, CVE-2025-59375

Mitre: CVE-2023-52425, CVE-2023-52426, CVE-2024-28757, CVE-2024-8176, CVE-2025-59375