ALAS2023-2026-1406

A flaw was found in OpenSSL. A remote attacker can exploit a stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax (CMS) message with an oversized Initialization Vector (IV) when parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated Data (AEAD) ciphers such as AES-GCM. This can lead to a crash, causing a Denial of Service (DoS), or potentially allow for remote code execution. (CVE-2025-15467)

aarch64:
    openssl-perl-3.2.2-1.amzn2023.0.4.aarch64
    openssl-fips-provider-latest-debuginfo-3.2.2-1.amzn2023.0.4.aarch64
    openssl-debuginfo-3.2.2-1.amzn2023.0.4.aarch64
    openssl-libs-3.2.2-1.amzn2023.0.4.aarch64
    openssl-fips-provider-latest-3.2.2-1.amzn2023.0.4.aarch64
    openssl-libs-debuginfo-3.2.2-1.amzn2023.0.4.aarch64
    openssl-snapsafe-libs-debuginfo-3.2.2-1.amzn2023.0.4.aarch64
    openssl-snapsafe-libs-3.2.2-1.amzn2023.0.4.aarch64
    openssl-3.2.2-1.amzn2023.0.4.aarch64
    openssl-debugsource-3.2.2-1.amzn2023.0.4.aarch64
    openssl-devel-3.2.2-1.amzn2023.0.4.aarch64

src:
    openssl-3.2.2-1.amzn2023.0.4.src

x86_64:
    openssl-perl-3.2.2-1.amzn2023.0.4.x86_64
    openssl-libs-debuginfo-3.2.2-1.amzn2023.0.4.x86_64
    openssl-debuginfo-3.2.2-1.amzn2023.0.4.x86_64
    openssl-libs-3.2.2-1.amzn2023.0.4.x86_64
    openssl-fips-provider-latest-debuginfo-3.2.2-1.amzn2023.0.4.x86_64
    openssl-snapsafe-libs-debuginfo-3.2.2-1.amzn2023.0.4.x86_64
    openssl-fips-provider-latest-3.2.2-1.amzn2023.0.4.x86_64
    openssl-snapsafe-libs-3.2.2-1.amzn2023.0.4.x86_64
    openssl-3.2.2-1.amzn2023.0.4.x86_64
    openssl-debugsource-3.2.2-1.amzn2023.0.4.x86_64
    openssl-devel-3.2.2-1.amzn2023.0.4.x86_64