Amazon Linux 2023 Security Advisory: ALAS2023-2026-1523
Advisory Released Date: 2026-04-01
Advisory Updated Date: 2026-04-01
Severity:
Low
Issue Overview:
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. (CVE-2026-25727)
Affected Packages:
rust-below
Issue Correction:
Run dnf update rust-below --releasever 2023.10.20260330 or dnf update --advisory ALAS2023-2026-1523 --releasever 2023.10.20260330 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
below-debuginfo-0.11.0-1.amzn2023.0.2.aarch64
below-0.11.0-1.amzn2023.0.2.aarch64
rust-below-debugsource-0.11.0-1.amzn2023.0.2.aarch64
src:
rust-below-0.11.0-1.amzn2023.0.2.src
x86_64:
below-debuginfo-0.11.0-1.amzn2023.0.2.x86_64
below-0.11.0-1.amzn2023.0.2.x86_64
rust-below-debugsource-0.11.0-1.amzn2023.0.2.x86_64