Amazon Linux 1 (AL1) version 2018.03 release notes

Warning

Amazon Linux 1 (AL1, formerly Amazon Linux AMI) is no longer supported. This guide is available only for reference purposes.

Note

AL1 is no longer the current version of Amazon Linux. AL2023 is the successor to AL1 and Amazon Linux 2. For more information about what's new in AL2023, see Comparing AL1 and AL2023 section in the AL2023 User Guide and the list of Package changes in AL2023.

This topic includes Amazon Linux 1 (AL1) release notes updates for the 2018.03 release.

Upgrading to Amazon Linux 1 (AL1) version 2018.03

To upgrade to Amazon Linux 1 (AL1) version 2018.03 from Amazon Linux 1 (AL1) version 2011.09 or later, run sudo yum clean all followed by sudo yum update. When the upgrade is complete, reboot your instance.

The Amazon Linux 1 (AL1) repositories provided updates that allow you to roll from one version of Amazon Linux 1 (AL1) to the next.

Amazon Linux 2018.03.0.20230404.0

Updated Packages:

db4-4.7.25-22.13.amzn1.x86_64
db4-utils-4.7.25-22.13.amzn1.x86_64
kernel-4.14.311-161.529.amzn1.x86_64
kernel-devel-4.14.311-161.529.amzn1.x86_64
kernel-headers-4.14.311-161.529.amzn1.x86_64
kernel-tools-4.14.311-161.529.amzn1.x86_64
microcode_ctl-2.1-47.41.amzn1.x86_64
python27-2.7.18-2.145.amzn1.x86_64
python27-babel-0.9.4-5.1.9.amzn1.noarch
python27-devel-2.7.18-2.145.amzn1.x86_64
python27-libs-2.7.18-2.145.amzn1.x86_64
vim-common-9.0.1403-1.76.amzn1.x86_64
vim-data-9.0.1403-1.76.amzn1.noarch
vim-enhanced-9.0.1403-1.76.amzn1.x86_64
vim-filesystem-9.0.1403-1.76.amzn1.noarch
vim-minimal-9.0.1403-1.76.amzn1.x86_64

Amazon Linux 2018.03.0.20230322.0

Updated Packages:

kernel-4.14.309-159.529.amzn1.x86_64
kernel-devel-4.14.309-159.529.amzn1.x86_64
kernel-headers-4.14.309-159.529.amzn1.x86_64
kernel-tools-4.14.309-159.529.amzn1.x86_64
tar-1.26-31.23.amzn1.x86_64
vim-common-9.0.1367-1.73.amzn1.x86_64
vim-data-9.0.1367-1.73.amzn1.noarch
vim-enhanced-9.0.1367-1.73.amzn1.x86_64
vim-filesystem-9.0.1367-1.73.amzn1.noarch
vim-minimal-9.0.1367-1.73.amzn1.x86_64
xorg-x11-server-Xorg-1.17.4-18.51.amzn1.x86_64
xorg-x11-server-common-1.17.4-18.51.amzn1.x86_64

Packages with CVEs:

kernel-4.14.309-159.529.amzn1, kernel-devel-4.14.309-159.529.amzn1, kernel-headers-4.14.309-159.529.amzn1, kernel-tools-4.14.309-159.529.amzn1

CVE-2023-26545

tar-1.26-31.23.amzn1

CVE-2022-48303

vim-common-9.0.1367-1.73.amzn1, vim-data-9.0.1367-1.73.amzn1, vim-enhanced-9.0.1367-1.73.amzn1, vim-filesystem-9.0.1367-1.73.amzn1

CVE-2023-0288
CVE-2023-0433
CVE-2023-0512
CVE-2023-1127

xorg-x11-server-Xorg-1.17.4-18.51.amzn1, xorg-x11-server-common-1.17.4-18.51.amzn1

CVE-2023-0494

Amazon Linux 2018.03.0.20230306.1

Updated Packages

tzdata-2022g-1.84.amzn1.noarch
tzdata-java-2022g-1.84.amzn1.noarch

Amazon Linux 2018.03.0.20230221.0

Updated Packages

ca-certificates-2018.2.22-65.1.29.amzn1.noarch
kernel-4.14.305-155.531.amzn1.x86_64
kernel-devel-4.14.305-155.531.amzn1.x86_64
kernel-headers-4.14.305-155.531.amzn1.x86_64
kernel-tools-4.14.305-155.531.amzn1.x86_64
xorg-x11-server-Xorg-1.17.4-18.50.amzn1.x86_64
xorg-x11-server-common-1.17.4-18.50.amzn1.x86_64

Packages with CVEs:

ca-certificates-2018.2.22-65.1.29.amzn1

CVE-2022-23491

xorg-x11-server-1.17.4-18.50.amzn1

CVE-2022-2320
CVE-2022-4283
CVE-2022-46340
CVE-2022-46341
CVE-2022-46342
CVE-2022-46343
CVE-2022-46344

Amazon Linux 2018.03.0.20230207.0

Updated Packages:

kernel-4.14.301-153.528.amzn1.x86_64
kernel-devel-4.14.301-153.528.amzn1.x86_64
kernel-headers-4.14.301-153.528.amzn1.x86_64
kernel-tools-4.14.301-153.528.amzn1.x86_64
krb5-libs-1.15.1-55.51.amzn1.x86_64
openssl-1.0.2k-16.162.amzn1.x86_64
sudo-1.8.23-10.57.amzn1.x86_64
vim-common-9.0.1160-1.1.amzn1.x86_64
vim-data-9.0.1160-1.1.amzn1.noarch
vim-enhanced-9.0.1160-1.1.amzn1.x86_64
vim-filesystem-9.0.1160-1.1.amzn1.noarch
vim-minimal-9.0.1160-1.1.amzn1.x86_64

Packages with CVEs:

sudo-1.8.23-10.57.amzn1

CVE-2023-22809

vim-9.0.1160-1.1.amzn1

CVE-2022-4292
CVE-2023-0049

krb5-1.15.1-55.51.amzn1

CVE-2022-42898

Amazon Linux 2018.03.0.20230124.1

There are no major updates in this release.

Updated Packages:

ca-certificates-2018.2.22-65.1.28.amzn1.noarch
krb5-libs-1.15.1-46.49.amzn1.x86_64
vim-common-9.0.1006-1.1.amzn1.x86_64
vim-data-9.0.1006-1.1.amzn1.noarch
vim-enhanced-9.0.1006-1.1.amzn1.x86_64
vim-filesystem-9.0.1006-1.1.amzn1.noarch
vim-minimal-9.0.1006-1.1.amzn1.x86_64

Amazon Linux 2018.03.0.20221209.1

There are no major updates in this release.

Updated Packages:

curl-7.61.1-12.101.amzn1.x86_64
expat-2.1.0-15.33.amzn1.x86_64
kernel-4.14.299-152.520.amzn1.x86_64
kernel-devel-4.14.299-152.520.amzn1.x86_64
kernel-headers-4.14.299-152.520.amzn1.x86_64
kernel-tools-4.14.299-152.520.amzn1.x86_64
libcurl-7.61.1-12.101.amzn1.x86_64
nvidia-450.216.04-2018.03.118.amzn1.x86_64
nvidia-dkms-450.216.04-2018.03.118.amzn1.x86_64
rsync-3.0.6-12.14.amzn1.x86_64
tzdata-2022f-1.83.amzn1.noarch
tzdata-java-2022f-1.83.amzn1.noarch
zlib-1.2.8-7.20.amzn1.x86_64
zlib-devel-1.2.8-7.20.amzn1.x86_64

Packages with CVEs:

curl-7.61.1-12.101.amzn1

CVE-2022-22576
CVE-2022-27774
CVE-2022-27776
CVE-2022-27781
CVE-2022-27782
CVE-2022-32206
CVE-2022-32208
CVE-2022-35252

kernel-4.14.299-152.520.amzn1

CVE-2022-20369
CVE-2022-26373
CVE-2022-2978
CVE-2022-3542
CVE-2022-3564
CVE-2022-3565
CVE-2022-3594
CVE-2022-3621
CVE-2022-3646
CVE-2022-3649
CVE-2022-39842
CVE-2022-40768
CVE-2022-41849
CVE-2022-41850
CVE-2022-43750

nvidia-450.216.04-2018.03.118.amzn1

CVE-2022-34670
CVE-2022-34674
CVE-2022-34675
CVE-2022-34677
CVE-2022-34679
CVE-2022-34680
CVE-2022-34682
CVE-2022-42254
CVE-2022-42255
CVE-2022-42256
CVE-2022-42257
CVE-2022-42258
CVE-2022-42259
CVE-2022-42260
CVE-2022-42261
CVE-2022-42262
CVE-2022-42263
CVE-2022-42264

Amazon Linux 2018.03.0.20221018.0

There are no major updates in this release.

Updated Packages:

kernel-4.14.294-150.533.amzn1.x86_64
kernel-devel-4.14.294-150.533.amzn1.x86_64
kernel-headers-4.14.294-150.533.amzn1.x86_64
kernel-tools-4.14.294-150.533.amzn1.x86_64
ruby20-2.0.0.648-2.41.amzn1.x86_64
ruby20-irb-2.0.0.648-2.41.amzn1.noarch
ruby20-libs-2.0.0.648-2.41.amzn1.x86_64
rubygem20-bigdecimal-1.2.0-2.41.amzn1.x86_64
rubygem20-psych-2.0.0-2.41.amzn1.x86_64
rubygems20-2.0.14.1-2.41.amzn1.noarch
tzdata-2022e-1.81.amzn1.noarch
tzdata-java-2022e-1.81.amzn1.noarch
vim-common-9.0.475-1.1.amzn1.x86_64
vim-data-9.0.475-1.1.amzn1.noarch
vim-enhanced-9.0.475-1.1.amzn1.x86_64
vim-filesystem-9.0.475-1.1.amzn1.noarch
vim-minimal-9.0.475-1.1.amzn1.x86_64

Packages with CVEs:

kernel-4.14.294-150.533.amzn1

CVE-2021-4159
CVE-2021-33655
CVE-2022-1462
CVE-2022-1679
CVE-2022-2153
CVE-2022-2588
CVE-2022-2663
CVE-2022-3028
CVE-2022-36123
CVE-2022-36879
CVE-2022-36946
CVE-2022-40307

Amazon Linux 2018.03.0.20220907.3

There are no major updates in this release.

Updated Packages:

amazon-ssm-agent-3.1.1732.0-1.amzn1.x86_64
gnupg2-2.0.28-2.35.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.321-2.6.28.1.86.amzn1.x86_64
tzdata-2022c-1.80.amzn1.noarch
tzdata-java-2022c-1.80.amzn1.noarch

Amazon Linux 2018.03.0.20220802.0

There are no major updates in this release.

Updated Packages:

kernel-4.14.287-148.504.amzn1.x86_64
kernel-devel-4.14.287-148.504.amzn1.x86_64
kernel-headers-4.14.287-148.504.amzn1.x86_64
kernel-tools-4.14.287-148.504.amzn1.x86_64
log4j-cve-2021-44228-hotpatch-1.3-7.amzn1.noarch
openssl-1.0.2k-16.159.amzn1.x86_64
vim-common-8.2.5172-1.1.amzn1.x86_64
vim-data-8.2.5172-1.1.amzn1.noarch
vim-enhanced-8.2.5172-1.1.amzn1.x86_64
vim-filesystem-8.2.5172-1.1.amzn1.noarch
vim-minimal-8.2.5172-1.1.amzn1.x86_64

Packages with CVEs:

kernel-4.14.287-148.504.amzn1

CVE-2022-2318
CVE-2022-26365
CVE-2022-33740
CVE-2022-33741
CVE-2022-33742
CVE-2022-33744

Amazon Linux 2018.03.0.20220705.1

There are no major updates in this release.

Updated Packages:

ca-certificates-2018.2.22-65.1.27.amzn1.noarch
expat-2.1.0-14.31.amzn1.x86_64
kernel-4.14.285-147.501.amzn1.x86_64
kernel-devel-4.14.285-147.501.amzn1.x86_64
kernel-headers-4.14.285-147.501.amzn1.x86_64
kernel-tools-4.14.285-147.501.amzn1.x86_64
log4j-cve-2021-44228-hotpatch-1.3-5.amzn1.noarch
microcode_ctl-2.1-47.40.amzn1.x86_64
openssl-1.0.2k-16.158.amzn1.x86_64
yum-3.4.3-150.73.amzn1.noarch
zlib-1.2.8-7.19.amzn1.x86_64
zlib-devel-1.2.8-7.19.amzn1.x86_64

Amazon Linux 2018.03.0.20220609.0

There are no major updates in this release.

Updated Packages:

expat-2.1.0-12.28.amzn1.x86_64
gzip-1.5-9.20.amzn1.x86_64
kernel-4.14.281-144.502.amzn1.x86_64
kernel-devel-4.14.281-144.502.amzn1.x86_64
kernel-headers-4.14.281-144.502.amzn1.x86_64
kernel-tools-4.14.281-144.502.amzn1.x86_64
log4j-cve-2021-44228-hotpatch-1.3-1.amzn1.noarch
openldap-2.4.40-16.32.amzn1.x86_64
python27-2.7.18-2.142.amzn1.x86_64
python27-devel-2.7.18-2.142.amzn1.x86_64
python27-libs-2.7.18-2.142.amzn1.x86_64
rsyslog-5.8.10-9.29.amzn1.x86_64
tzdata-2022a-1.79.amzn1.noarch
tzdata-java-2022a-1.79.amzn1.noarch
vim-common-8.2.4877-1.1.amzn1.x86_64
vim-data-8.2.4877-1.1.amzn1.noarch
vim-enhanced-8.2.4877-1.1.amzn1.x86_64
vim-filesystem-8.2.4877-1.1.amzn1.noarch
vim-minimal-8.2.4877-1.1.amzn1.x86_64
xz-5.2.2-1.14.amzn1.x86_64
xz-libs-5.2.2-1.14.amzn1.x86_64

Amazon Linux 2018.03.0.20220503.0

There are no major updates in this release.

Updated Packages:

rpm-4.11.3-40.80.amzn1.x86_64
rpm-build-libs-4.11.3-40.80.amzn1.x86_64
rpm-libs-4.11.3-40.80.amzn1.x86_64
rpm-python27-4.11.3-40.80.amzn1.x86_64

Amazon Linux 2018.03.0.20220419.0

There are no major updates in this release.

Updated Packages:

amazon-ssm-agent-3.1.1188.0-1.amzn1.x86_64
glibc-2.17-324.189.amzn1.x86_64
glibc-common-2.17-324.189.amzn1.x86_64
glibc-devel-2.17-324.189.amzn1.x86_64
glibc-headers-2.17-324.189.amzn1.x86_64
kernel-4.14.275-142.503.amzn1.x86_64
kernel-devel-4.14.275-142.503.amzn1.x86_64
kernel-headers-4.14.275-142.503.amzn1.x86_64
kernel-tools-4.14.275-142.503.amzn1.x86_64
libblkid-2.23.2-63.36.amzn1.x86_64
libcap54-2.54-1.4.amzn1.x86_64
libgcrypt-1.5.3-12.20.amzn1.x86_64
libmount-2.23.2-63.36.amzn1.x86_64
libsmartcols-2.23.2-63.36.amzn1.x86_64
libuuid-2.23.2-63.36.amzn1.x86_64
log4j-cve-2021-44228-hotpatch-1.1-16.amzn1.noarch
util-linux-2.23.2-63.36.amzn1.x86_64
vim-common-8.2.4621-1.1.amzn1.x86_64
vim-data-8.2.4621-1.1.amzn1.noarch
vim-enhanced-8.2.4621-1.1.amzn1.x86_64
vim-filesystem-8.2.4621-1.1.amzn1.noarch
vim-minimal-8.2.4621-1.1.amzn1.x86_64

Amazon Linux 2018.03.20220315.0 Release (03/15)

There are no major updates in this release.

Updated Packages:

openssl-1.0.2k-16.156.amzn1.x86_64

Amazon Linux 2018.03.20220310.0 Release (03/10)

There are no major updates in this release.

Updated Packages:

cyrus-sasl-2.1.23-13.17.amzn1.x86_64
cyrus-sasl-lib-2.1.23-13.17.amzn1.x86_64
cyrus-sasl-plain-2.1.23-13.17.amzn1.x86_64
expat-2.1.0-12.27.amzn1.x86_64
log4j-cve-2021-44228-hotpatch-1.1-13.amzn1.noarch
tzdata-2021e-1.78.amzn1.noarch
tzdata-java-2021e-1.78.amzn1.noarch
vim-common-8.2.4314-1.1.amzn1.x86_64
vim-data-8.2.4314-1.1.amzn1.noarch
vim-enhanced-8.2.4314-1.1.amzn1.x86_64
vim-filesystem-8.2.4314-1.1.amzn1.noarch
vim-minimal-8.2.4314-1.1.amzn1.x86_64

Amazon Linux 2018.03.0.20220209.2 Update

There are no major updates in this release.

Updated Packages:

kernel-4.14.268-139.500.amzn1.x86_64
kernel-devel-4.14.268-139.500.amzn1.x86_64
kernel-headers-4.14.268-139.500.amzn1.x86_64
kernel-tools-4.14.268-139.500.amzn1.x86_64

Amazon Linux 2018.03.0.20220209.0 Update

There are no major updates in this release.

Updated Packages:

ca-certificates-2018.2.22-65.1.26.amzn1.noarch
openssh-7.4p1-22.77.amzn1.x86_64
openssh-clients-7.4p1-22.77.amzn1.x86_64
openssh-server-7.4p1-22.77.amzn1.x86_64

Amazon Linux 2018.03.0.20220207.0 Update

There are no major updates in this release.

Kernel:

Rebase kernel to upstream stable 4.14.262

CVEs Fixed:
- CVE-2021-4083 [fget: check that the fd still exists after getting a ref to it]
- CVE-2021-39685 [USB: gadget: detect too-big endpoint 0 requests]
- CVE-2021-28711 [xen/blkfront: harden blkfront against event channel storms]
- CVE-2021-28712 [xen/netfront: harden netfront against event channel storms]
- CVE-2021-28713 [xen/console: harden hvc_xen against event channel storms]
- CVE-2021-28714 [xen/netback: fix rx queue stall detection]
- CVE-2021-28715 [xen/netback: don't queue unlimited number of packages]
- CVE-2021-44733 [tee: handle lookup of shm with reference count 0]
- CVE-2021-4155 [xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate]
- CVE-2022-0492 [kernel: cgroups v1 release_agent feature may allow privilege escalation]
Amazon Features and Backports:
- ena: Update to 2.6.0
- fuse: fix bad inode
- fuse: fix live lock in fuse_iget()
- lustre: update to AmazonFSxLustreClient v2.10.8-10
- cgroup-v1: require capabilities to set release_agent
- audit: improve audit queue handling when "audit=1" on cmdline
- ENA: Update to v2.6.1
Other Fixes:
- tracing: Fix pid filtering when triggers are attached
- NFSv42: Don't fail clone() unless the OP_CLONE operation failed
- ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
- ipv6: fix typos in ip6_finish_output()
- tracing: Check pid filtering when creating events
- PCI: aardvark: Train link immediately after enabling training
- PCI: aardvark: Update comment about disabling link training

Updated Packages:

kernel-4.14.262-135.489.amzn1.x86_64
kernel-devel-4.14.262-135.489.amzn1.x86_64
kernel-headers-4.14.262-135.489.amzn1.x86_64
kernel-tools-4.14.262-135.489.amzn1.x86_64

Amazon Linux 2018.03.0.20220128.0 Update

There are no major updates in this release.

Updated Packages:

vim-common-8.2.4006-1.2.amzn1.x86_64
vim-data-8.2.4006-1.2.amzn1.noarch
vim-enhanced-8.2.4006-1.2.amzn1.x86_64
vim-filesystem-8.2.4006-1.2.amzn1.noarch
vim-minimal-8.2.4006-1.2.amzn1.x86_64

Amazon Linux 2018.03.0.20211222.0

Note

The deprecated aws-apitools-* packages are now no longer shipped by default in the AL1 AMI (see this forum post for more details). As per our previous announcement the log4j-cve-2021-44228-hotpatch is enabled by default, and is now part of the AMI rather than an update applied on launch.

Updated Packages:

aws-apitools-as-1.0.61.6-1.0.amzn1.noarch
aws-apitools-elb-1.0.35.0-1.0.amzn1.noarch
apitools-mon-1.0.20.0-1.0.amzn1.noarch
java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.261-2.6.22.1.84.amzn1.x86_64
log4j-cve-2021-44228-hotpatch-1.1-12.amzn1.noarch

Amazon Linux 2018.03.0.20211201.0

Major Updates:

Updated nss to fix CVE-2021-43527. NSS (Network Security Services) up to and including 3.73 is vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. When verifying a DER-encoded signature, NSS decodes the signature into a fixed-size buffer and passes the buffer to the underlying PKCS #11 module. The length of the signature is not correctly checked when processing DSA and RSA-PSS signatures. DSA and RSA-PSS signatures larger than 16384 bits will overflow the buffer in VFYContextStr. The vulnerable code is located within secvfy.c:vfy_CreateContext. (CVE-2021-43527)

Updated Packages:

nss-3.53.1-7.87.amzn1.x86_64
nss-sysinit-3.53.1-7.87.amzn1.x86_64
nss-tools-3.53.1-7.87.amzn1.x86_64

Amazon Linux 2018.03.0.20211111.0

Updated Packages:

curl-7.61.1-12.100.amzn1.x86_64
kernel-4.14.252-131.483.amzn1.x86_64
kernel-devel-4.14.252-131.483.amzn1.x86_64
kernel-headers-4.14.252-131.483.amzn1.x86_64
kernel-tools-4.14.252-131.483.amzn1.x86_64
libcurl-7.61.1-12.100.amzn1.x86_64
openssl-1.0.2k-16.155.amzn1.x86_64

Kernel Updates:

Rebase kernel to upstream stable 4.14.252

CVEs Fixed:
- CVE-2021-37159 [usb: hso: fix error handling code of hso_create_net_device]
- CVE-2021-3744 [crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()]
- CVE-2021-3764 [crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()]
- CVE-2021-20317 [lib/timerqueue: Rely on rbtree semantics for next timer]
- CVE-2021-20321 [ovl: fix missing negative dentry check in ovl_rename()]
- CVE-2021-41864 [bpf: Fix integer overflow in prealloc_elems_and_freelist()]
Amazon Features and Backports:
- Enable nitro-enclaves driver for arm64
Other Fixes:
- md: fix a lock order reversal in md_alloc
- arm64: Mark stack_chk_guard as ro_after_init
- cpufreq: schedutil: Use kobject release() method to free sugov_tunables
- cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
- ext4: fix potential infinite loop in ext4_dx_readdir()
- nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero
- net_sched: fix NULL deref in fifo_set_limit()
- perf/x86: Reset destroy callback on event init failure
- virtio: write back F_VERSION_1 before validate

Amazon Linux 2018.03.0.20211015.1

Updated Packages:

kernel-4.14.248-129.473.amzn1.x86_64
kernel-devel-4.14.248-129.473.amzn1.x86_64
kernel-headers-4.14.248-129.473.amzn1.x86_64
kernel-tools-4.14.248-129.473.amzn1.x86_64
openssl-1.0.2k-16.154.amzn1.x86_64

Kernel Updates:

Rebase kernel to upstream stable 4.14.248
CVEs Fixed:
- CVE-2020-16119 [dccp: don't duplicate ccid when cloning dccp sock]
- CVE-2021-40490 [ext4: fix race writing to an inline_data file while its xattrs are changing]
- CVE-2021-42252 [soc: aspeed: lpc-ctrl: Fix boundary check for mmap]
Other Fixes:
- mm/kmemleak.c: make cond_resched() rate-limiting more efficient
- mm/page_alloc: speed up the iteration of max_order
- tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos
- KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted
- cifs: fix wrong release in sess_alloc_buffer() failed path
- rcu: Fix missed wakeup of exp_wq waiters

Amazon Linux 2018.03.0.20211001.0

Major Updates:

Update of ca-certificates to version 2018.2.22-65.1.24.amzn1, which addresses the expiring IdentTrust DST Root CA X3, which affected some Let's Encrypt TLS certificates. The effect of the expiring certificate would be an inability of OpenSSL to validate impacted certificates issued by Let's Encrypt. Impacted customers may have experienced connection or certificate errors when attempting to connect to certain websites or APIs that use Let's Encrypt certificates.

Updated Packages:

ca-certificates-2018.2.22-65.1.24.amzn1.noarch
curl-7.61.1-12.99.amzn1.x86_64
glib2-2.36.3-5.22.amzn1.x86_64
glibc-2.17-324.188.amzn1.x86_64
glibc-common-2.17-324.188.amzn1.x86_64
libcurl-7.61.1-12.99.amzn1.x86_64

Amazon Linux 2018.03.0.20210721.0

Updated Packages:

amazon-ssm-agent-3.0.1124.0-1.amzn1.x86_64
bind-libs-9.8.2-0.68.rc1.87.amzn1.x86_64
bind-utils-9.8.2-0.68.rc1.87.amzn1.x86_64
curl-7.61.1-12.98.amzn1.x86_64
dhclient-4.1.1-53.P1.29.amzn1.x86_64
dhcp-common-4.1.1-53.P1.29.amzn1.x86_64
glibc-2.17-322.181.amzn1.x86_64
glibc-common-2.17-322.181.amzn1.x86_64
glibc-devel-2.17-322.181.amzn1.x86_64
glibc-headers-2.17-322.181.amzn1.x86_64
kernel-4.14.238-125.422.amzn1.x86_64
kernel-devel-4.14.238-125.422.amzn1.x86_64
kernel-headers-4.14.238-125.422.amzn1.x86_64
kernel-tools-4.14.238-125.422.amzn1.x86_64
libX11-1.6.0-2.2.14.amzn1.x86_64
libX11-common-1.6.0-2.2.14.amzn1.x86_64
libcurl-7.61.1-12.98.amzn1.x86_64
nspr-4.25.0-2.45.amzn1.x86_64
nss-3.53.1-7.85.amzn1.x86_64
nss-softokn-3.53.1-6.46.amzn1.x86_64
nss-softokn-freebl-3.53.1-6.46.amzn1.x86_64
nss-sysinit-3.53.1-7.85.amzn1.x86_64
nss-tools-3.53.1-7.85.amzn1.x86_64
nss-util-3.53.1-1.58.amzn1.x86_64
rpm-4.11.3-40.79.amzn1.x86_64
rpm-build-libs-4.11.3-40.79.amzn1.x86_64
rpm-libs-4.11.3-40.79.amzn1.x86_64
rpm-python27-4.11.3-40.79.amzn1.x86_64
tzdata-2021a-1.79.amzn1.noarch
tzdata-java-2021a-1.79.amzn1.noarch
update-motd-1.0.1-3.1.amzn1.noarch

Kernel Updates:

Rebase kernel to upstream stable 4.14.238
Amazon EFA Driver: update to version v1.12.1
CVEs Fixed:
- CVE-2021-32399 [bluetooth: eliminate the potential race condition when removing the HCI controller]
- CVE-2021-33034 [Bluetooth: verify AMP hci_chan before amp_destroy]
- CVE-2020-26558 [Bluetooth: SMP: Fail if remote and local public keys are identical]
- CVE-2021-0129 [Bluetooth: SMP: Fail if remote and local public keys are identical]
- CVE-2020-24586 [mac80211: prevent mixed key and fragment cache attacks]
- CVE-2020-24587 [mac80211: prevent mixed key and fragment cache attacks]
- CVE-2020-24588 [cfg80211: mitigate A-MSDU aggregation attacks]
- CVE-2020-26139 [mac80211: do not accept/forward invalid EAPOL frames]
- CVE-2020-26147 [mac80211: assure all fragments are encrypted]
- CVE-2021-29650 [netfilter: x_tables: Use correct memory barriers.]
- CVE-2021-3564 [Bluetooth: fix the erroneous flush_work() order]\
- CVE-2021-3573 [Bluetooth: use correct lock to prevent UAF of hdev object]
- CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect]
- CVE-2021-34693 [can: bcm: fix infoleak in struct bcm_msg_head]
- CVE-2021-33624 [bpf: Inherit expanded/patched seen count from old aux data]
- CVE-2021-33909 [seq_file: disallow extremely large seq buffer allocations]
Amazon Features and Backports:
- arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419
- arm64/errata: add REVIDR handling to framework
- arm64/kernel: enable A53 erratum #8434319 handling at runtime
- arm64: fix undefined reference to 'printk'
- arm64/kernel: rename module_emit_adrp_veneer→module_emit_veneer_for_adrp
- arm64/kernel: kaslr: reduce module randomization range to 4 GB
- Revert "arm64: acpi/pci: invoke _DSM whether to preserve firmware PCI setup"
- PCI/ACPI: Evaluate PCI Boot Configuration _DSM
- PCI: Don't auto-realloc if we're preserving firmware config
- arm64: PCI: Allow resource reallocation if necessary
- arm64: PCI: Preserve firmware configuration when desired
- bpf: fix subprog verifier bypass by div/mod by 0 exception
- bpf, x86_64: remove obsolete exception handling from div/mod
- bpf, arm64: remove obsolete exception handling from div/mod
- bpf, s390x: remove obsolete exception handling from div/mod
- bpf, ppc64: remove obsolete exception handling from div/mod
- bpf, sparc64: remove obsolete exception handling from div/mod
- bpf, mips64: remove obsolete exception handling from div/mod
- bpf, mips64: remove unneeded zero check from div/mod with k
- bpf, arm: remove obsolete exception handling from div/mod
- bpf: Fix 32 bit src register truncation on div/mod
- bpf: Inherit expanded/patched seen count from old aux data
- bpf: Do not mark insn as seen under speculative path verification
- bpf: Fix leakage under speculation on mispredicted branches
- seq_file: disallow extremely large seq buffer allocations

Amazon Linux 2018.03.0.20210521.1

Updated Packages:

kernel-4.14.232-123.381.amzn1.x86_64
kernel-devel-4.14.232-123.381.amzn1.x86_64
kernel-headers-4.14.232-123.381.amzn1.x86_64
kernel-tools-4.14.232-123.381.amzn1.x86_64
nvidia-418.197.02-2018.03.117.amzn1.x86_64
nvidia-dkms-418.197.02-2018.03.117.amzn1.x86_64
ruby20-2.0.0.648-2.40.amzn1.x86_64
ruby20-irb-2.0.0.648-2.40.amzn1.noarch
ruby20-libs-2.0.0.648-2.40.amzn1.x86_64
rubygem20-bigdecimal-1.2.0-2.40.amzn1.x86_64
rubygem20-psych-2.0.0-2.40.amzn1.x86_64
rubygems20-2.0.14.1-2.40.amzn1.noarch
xorg-x11-server-Xorg-1.17.4-18.44.amzn1.x86_64
xorg-x11-server-common-1.17.4-18.44.amzn1.x86_64

Kernel Update:

Rebase kernel to upstream stable 4.14.232
lustre: update to AmazonFSxLustreClient v2.10.8-7
CVEs Fixed:
- CVE-2020-29374 [gup: document and work around "COW can break either way" issue]
- CVE-2021-23133 [net/sctp: fix race condition in sctp_destroy_sock]
Amazon Features and Backports:
- bpf: fix up selftests after backports were fixed
- bpf, selftests: Fix up some test_verifier cases for unprivileged
- bpf: Move off_reg into sanitize_ptr_alu
- bpf: Ensure off_reg has no mixed signed bounds for all types
- bpf: Rework ptr_limit into alu_limit and add common error path
- bpf: Improve verifier error messages for users
- bpf: Refactor and streamline bounds check into helper
- bpf: Move sanitize_val_alu out of op switch
- bpf: Tighten speculative pointer arithmetic mask
- bpf: Update selftests to reflect new error states
- bpf: do not allow root to mangle valid pointers
- bpf/verifier: disallow pointer subtraction
- selftests/bpf: fix test_align
- selftests/bpf: make 'dubious pointer arithmetic' test useful
- bpf: Fix masking negation logic upon negative dst register
- bpf: Fix leakage of uninitialized bpf stack under speculation
- Revert "net/sctp: fix race condition in sctp_destroy_sock"
- sctp: delay auto_asconf init until binding the first addr
- cifs: fix panic in smb2_reconnect
Other Fixes:
- arm64: fix inline asm in load_unaligned_zeropad()
- ext4: correct error label in ext4_rename()
- x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access

Amazon Linux 2018.03.0.20210408.0

Major Updates:

iptables has been updated form 1.4.18 to 1.4.21

Updated Packages:

amazon-ssm-agent-3.0.529.0-1.amzn1.x86_64
iptables-1.4.21-34.33.amzn1.x86_64
kernel-4.14.225-121.362.amzn1.x86_64
kernel-devel-4.14.225-121.362.amzn1.x86_64
kernel-headers-4.14.225-121.362.amzn1.x86_64
kernel-tools-4.14.225-121.362.amzn1.x86_64
libmnl-1.0.3-4.2.amzn1.x86_64
libnetfilter_conntrack-1.0.4-1.7.amzn1.x86_64
libnfnetlink-1.0.1-1.3.amzn1.x86_64
openssh-7.4p1-21.75.amzn1.x86_64
openssh-clients-7.4p1-21.75.amzn1.x86_64
openssh-server-7.4p1-21.75.amzn1.x86_64
python27-setuptools-36.2.7-1.35.amzn1.noarch
screen-4.0.3-19.7.amzn1.x86_64

Amazon Linux 2018.03.0.20210319.0

No major updates. Reminder that AL1 is in Maintenance Support.

Updated Packages:

bind-libs-9.8.2-0.68.rc1.86.amzn1.x86_64
bind-utils-9.8.2-0.68.rc1.86.amzn1.x86_64
cloud-init-0.7.6-43.23.amzn1.noarch
ec2-net-utils-0.7-43.5.amzn1.noarch
ec2-utils-0.7-43.5.amzn1.noarch
grub-0.97-94.32.amzn1.x86_64
kernel-4.14.225-121.357.amzn1.x86_64
kernel-devel-4.14.225-121.357.amzn1.x86_64
kernel-headers-4.14.225-121.357.amzn1.x86_64
kernel-tools-4.14.225-121.357.amzn1.x86_64
python27-pyliblzma-0.5.3-11.7.amzn1.x86_64
yum-3.4.3-150.72.amzn1.noarch

Kernel Update:

Rebase kernel to upstream stable 4.14.225
CVEs Fixed:
- CVE-2021-26930 [xen-blkback: fix error handling in xen_blkbk_map()]
- CVE-2021-26931 [xen-blkback: don't "handle" error by BUG()]
- CVE-2021-26932 [Xen/x86: don't bail early from clear_foreign_p2m_mapping()]
- CVE-2021-27363 [scsi: iscsi: Restrict sessions and handles to admin capabilities]
- CVE-2021-27364 [scsi: iscsi: Restrict sessions and handles to admin capabilities]
- CVE-2021-27365 [scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE]
- CVE-2021-28038 [Xen/gnttab: handle p2m update errors on a per-slot basis]
Amazon Features and Backports:
- arm64: kaslr: Refactor early init command line parsing
- arm64: Extend the kernel command line from the bootloader
- arm64: Export acpi_psci_use_hvc() symbol
- hwrng: Add Gravition RNG driver
- iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu
- x86/x2apic: Mark set_x2apic_phys_mode() as init
- x86/apic: Deinline x2apic functions
- x86/apic: Fix x2apic enablement without interrupt remapping
- x86/msi: Only use high bits of MSI address for DMAR unit
- x86/io_apic: Reevaluate vector configuration on activate()
- x86/ioapic: Handle Extended Destination ID field in RTE
- x86/apic: Support 15 bits of APIC ID in MSI where availabl
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID
- x86/kvm: Enable 15-bit extension when KVM_FEATURE_MSI_EXT_DEST_ID detected
- arm64: HWCAP: add support for AT_HWCAP2
- arm64: HWCAP: encapsulate elf_hwcap
- arm64: Implement archrandom.h for ARMv8.5-RNG
- mm: memcontrol: fix NR_WRITEBACK leak in memcg and system stats
- mm: memcg: make sure memory.events is uptodate when waking pollers
- mem_cgroup: make sure moving_account, move_lock_task and stat_cpu in the same cacheline
- mm: fix oom_kill event handling
- mm: writeback: use exact memcg dirty counts
Other Fixes:
- net_sched: reject silly cell_log in qdisc_get_rtab()
- x86: always_inline {rd,wr}msr()
- net: lapb: Copy the skb before sending a packet
- ipv4: fix race condition between route lookup and invalidation
- mm: hugetlb: fix a race between isolating and freeing page
- mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
- mm: thp: fix MADV_REMOVE deadlock on shmem THP
- x86/apic: Add extra serialization for non-serializing MSRs
- iommu/vt-d: Do not use flush-queue when caching-mode is on
- fgraph: Initialize tracing_graph_pause at task creation
- ARM: ensure the signal page contains defined contents
- kvm: check tlbs_dirty directly
- ext4: fix potential htree index checksum corruption
- mm/memory.c: fix potential pte_unmap_unlock pte error
- mm/hugetlb: fix potential double free in hugetlb_register_node() error path
- arm64: Add missing ISB after invalidating TLB in primary_switch
- mm/rmap: fix potential pte_unmap on an not mapped pte
- x86/reboot: Force all cpus to exit VMX root if VMX is supported
- mm: hugetlb: fix a race between freeing and dissolving the page
- arm64 module: set plt* section addresses to 0x0
- xfs: Fix assert failure in xfs_setattr_size()

Amazon Linux 2018.03.0.20210224.0

Updated Packages:

kernel-4.14.219-119.340.amzn1.x86_64
kernel-devel-4.14.219-119.340.amzn1.x86_64
kernel-headers-4.14.219-119.340.amzn1.x86_64
kernel-tools-4.14.219-119.340.amzn1.x86_64
openssl-1.0.2k-16.153.amzn1.x86_64
python27-2.7.18-2.141.amzn1.x86_64
python27-devel-2.7.18-2.141.amzn1.x86_64
python27-libs-2.7.18-2.141.amzn1.x86_64

Kernel Update:

Rebase kernel to upstream stable 4.14.219
CVEs Fixed:
- CVE-2020-28374 [scsi: target: Fix XCOPY NAA identifier lookup]
- CVE-2021-3178 [nfsd4: readdirplus shouldn't return parent of export]
- CVE-2020-27825 [tracing: Fix race in trace_open and buffer resize call]
- CVE-2021-3347 [futex: Ensure the correct return value from futex_lock_pi()]
- CVE-2021-3348 [nbd: freeze the queue while we're adding connections]
Backported Fixes:
- NFS: Do uncached readdir when we're seeking a cookie in an empty page cache
Other Fixes:
- virtio_net: Fix recursive call to cpus_read_lock()
- net-sysfs: take the rtnl lock when storing xps_cpus
- net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered
- vhost_net: fix ubuf refcount incorrectly when sendmsg fails
- net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc
- crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
- x86/mm: Fix leak of pmd ptlock
- KVM: x86: fix shift out of bounds reported by UBSAN
- net: ip: always refragment ip defragmented packets
- x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR
- x86/resctrl: Don't move a task to the same resource group
- cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get()
- iommu/intel: Fix memleak in intel_irq_remapping_alloc
- KVM: arm64: Don't access PMCR_EL0 when no PMU is available
- mm/hugetlb: fix potential missing huge page size info
- dm snapshot: flush merged data before committing metadata
- ext4: fix bug for rename with RENAME_WHITEOUT
- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
- ext4: fix superblock checksum failure when setting password salt
- mm, slub: consider rest of partial list if acquire_slab() fails
- rxrpc: Fix handling of an unsupported token type in rxrpc_read()
- tipc: fix NULL deref in tipc_link_xmit()
- net: use skb_list_del_init() to remove from RX sublists
- net: introduce skb_list_walk_safe for skb segment walking
- dm: avoid filesystem lookup in dm_get_dev_t()
- skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
- tracing: Fix race in trace_open and buffer resize call
- x86/boot/compressed: Disable relocation relaxation
- nbd: freeze the queue while we're adding connections
- KVM: x86: get smi pending status correctly
- x86/entry/64/compat: Preserve r8-r11 in int $0x80
- x86/entry/64/compat: Fix x86/entry/64/compat: Preserve r8-r11 in int $0x80

Amazon Linux 2018.03.0.20210126.0

Updated Packages:

bind-libs-9.8.2-0.68.rc1.85.amzn1.x86_64
bind-utils-9.8.2-0.68.rc1.85.amzn1.x86_64
ca-certificates-2018.2.22-65.1.23.amzn1.noarch
e2fsprogs-1.43.5-2.44.amzn1.x86_64
e2fsprogs-libs-1.43.5-2.44.amzn1.x86_64
ec2-net-utils-0.7-2.4.amzn1.noarch
ec2-utils-0.7-2.4.amzn1.noarch
expat-2.1.0-12.24.amzn1.x86_64
gnupg2-2.0.28-2.34.amzn1.x86_64
kernel-4.14.214-118.339.amzn1.x86_64
kernel-devel-4.14.214-118.339.amzn1.x86_64
kernel-headers-4.14.214-118.339.amzn1.x86_64
kernel-tools-4.14.214-118.339.amzn1.x86_64
libblkid-2.23.2-63.33.amzn1.x86_64
libcom_err-1.43.5-2.44.amzn1.x86_64
libepoxy-1.2-3.3.amzn1.x86_64
libevdev-1.4.5-2.4.amzn1.x86_64
libmount-2.23.2-63.33.amzn1.x86_64
libsmartcols-2.23.2-63.33.amzn1.x86_64
libss-1.43.5-2.44.amzn1.x86_64
libuuid-2.23.2-63.33.amzn1.x86_64
libX11-1.6.0-2.2.13.amzn1.x86_64
libX11-common-1.6.0-2.2.13.amzn1.x86_64
libxslt-1.1.28-6.15.amzn1.x86_64
mtdev-1.1.2-5.4.amzn1.x86_64
python27-pip-9.0.3-1.28.amzn1.noarch
python27-setuptools-36.2.7-1.34.amzn1.noarch
ruby20-2.0.0.648-2.39.amzn1.x86_64
ruby20-irb-2.0.0.648-2.39.amzn1.noarch
ruby20-libs-2.0.0.648-2.39.amzn1.x86_64
rubygem20-bigdecimal-1.2.0-2.39.amzn1.x86_64
rubygem20-psych-2.0.0-2.39.amzn1.x86_64
rubygems20-2.0.14.1-2.39.amzn1.noarch
sudo-1.8.23-9.56.amzn1.x86_64
system-release-2018.03-0.2.noarch
tzdata-2020d-2.76.amzn1.noarch
tzdata-java-2020d-2.76.amzn1.noarch
util-linux-2.23.2-63.33.amzn1.x86_64
vim-common-8.0.0503-1.47.amzn1.x86_64
vim-enhanced-8.0.0503-1.47.amzn1.x86_64
vim-filesystem-8.0.0503-1.47.amzn1.x86_64
vim-minimal-8.0.0503-1.47.amzn1.x86_64
xorg-x11-drv-evdev-2.9.2-1.7.amzn1.x86_64
xorg-x11-drv-vesa-2.3.4-1.8.amzn1.x86_64
xorg-x11-drv-void-1.4.1-1.8.amzn1.x86_64
xorg-x11-server-common-1.17.4-18.43.amzn1.x86_64
xorg-x11-server-Xorg-1.17.4-18.43.amzn1.x86_64

Kernel Updates:

Rebase kernel to upstream stable 4.14.214
CVEs Fixed:
- CVE-2019-19813 [btrfs: inode: Verify inode mode to avoid NULL pointer dereference]
- CVE-2019-19816 [btrfs: inode: Verify inode mode to avoid NULL pointer dereference]
- CVE-2020-29661 [tty: Fix ->pgrp locking in tiocspgrp()]
- CVE-2020-29660 [tty: Fix ->session locking]
- CVE-2020-27830 [speakup: Reject setting the speakup line discipline outside of speakup]
- CVE-2020-27815 [jfs: Fix array index bounds check in dbAdjTree]
- CVE-2020-29568 [xen/xenbus: Allow watches discard events before queueing]
- CVE-2020-29569 [xen-blkback: set ring->xenblkd to NULL after kthread_stop()]
Backported Fixes:
- SMB3: Add support for getting and setting SACLs
- Add SMB 2 support for getting and setting SACLs
Other Fixes:
- mm: memcontrol: fix excessive complexity in memory.stat reporting
- PCI: Fix pci_slot_release() NULL pointer dereference
- ext4: fix deadlock with fs freezing and EA inodes
- ext4: fix a memory leak of ext4_free_data
- sched/deadline: Fix sched_dl_global_validate()
- cifs: fix potential use-after-free in cifs_echo_request()
- btrfs: fix return value mixup in btrfs_get_extent
- btrfs: fix lockdep splat when reading qgroup config on mount

Amazon Linux 2018.03.0.20201209.1

Major Updates: Security updates to curl, openssl, and python27.

Updated packages:

curl-7.61.1-12.95.amzn1.x86_64
kernel-4.14.203-116.332.amzn1.x86_64
kernel-tools-4.14.203-116.332.amzn1.x86_64
libcurl-7.61.1-12.95.amzn1.x86_64
openssl-1.0.2k-16.152.amzn1.x86_64
python27-2.7.18-2.140.amzn1.x86_64
python27-devel-2.7.18-2.140.amzn1.x86_64
python27-libs-2.7.18-2.140.amzn1.x86_64

Kernel update:

Rebase kernel to upstream stable 4.14.203
CVEs Fixed:
- CVE-2020-12352 [Bluetooth: A2MP: Fix not initializing all members]
- CVE-2020-12351 [Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel]
- CVE-2020-24490 [Bluetooth: fix kernel oops in store_pending_adv_report]
- CVE-2020-25211 [netfilter: ctnetlink: add a range check for l3/l4 protonum]
- CVE-2020-0423 [binder: fix UAF when releasing todo list]
- CVE-2020-14386 [net/packet: fix overflow in tpacket_rcv]
Other fixes:
- Soft lockup Issue during writeback in presence of memory reclaim
- Fix CIFS trailing characters

Amazon Linux 2018.03.0.20201028.0

Updated packages:

amazon-ssm-agent: 2.3.1319.0-1 to 3.0.161.0-1.
aws-cfn-bootstrap: 1.4-32.23 to 1.4-34.24.
kernel: 4.14.193-113.317 to 4.14.200-116.320.
kernel-devel: 4.14.193-113.317 to 4.14.200-116.320.
kernel-headers: 4.14.193-113.317 to 4.14.200-116.320.
kernel-tools: 4.14.193-113.317 to 4.14.200-116.320.
libxml2: 2.9.1-6.4.40 to 2.9.1-6.4.41.
libxml2-python27: 2.9.1-6.4.40 to 2.9.1-6.4.41.
ntp: 4.2.8p12-1.41 to 4.2.8p15-1.44.
ntpdate: 4.2.8p12-1.41 to 4.2.8p15-1.44.
rpm: 4.11.3-40.77 to 4.11.3-40.78.
rpm-build-libs: 4.11.3-40.77 to 4.11.3-40.78.
rpm-libs: 4.11.3-40.77 to 4.11.3-40.78.
rpm-python27: 4.11.3-40.77 to 4.11.3-40.78.
tzdata: 2019c-1.73 to 2020a-1.75.
tzdata-java: 2019c-1.73 to 2020a-1.75.tzdata-2019c.173.amzn1.noarch to tzdata-2020a-1.75.amzn1.noarch

Kernel update:

Rebase kernel to upstream stable 4.14.200
CVEs Fixed:
- CVE-2019-19448 [btrfs: only search for left_info if there is no right_info in try_merge_free_space]
- CVE-2020-25212 [nfs: Fix getxattr kernel panic and memory overflow]
- CVE-2020-14331 [vgacon: Fix for missing check in scrollback handling]
- CVE-2020-14314 [ext4: fix potential negative array index in do_split()]
- CVE-2020-25285 [mm/hugetlb: fix a race between hugetlb sysctl handlers]
- CVE-2020-25641 [block: allow for_each_bvec to support zero len bvec]
- CVE-2020-25211 [netfilter: ctnetlink: add a range check for l3/l4 protonum]
- CVE-2020-12888 [vfio-pci: Invalidate mmaps and block MMIO access on disabled memory]
- CVE-2020-25284 [rbd: require global CAP_SYS_ADMIN for mapping and unmapping]
- CVE-2020-14390 [fbcon: remove soft scrollback code]
- CVE-2020-25645 [geneve: add transport ports in route lookup for geneve]
Other fixes:
- nfs: optimise readdir cache page invalidation
- nfs: Fix security label length not being reset

Amazon Linux 2018.03.0.20200918.0

Note

Major Updates:

removed aws-api-tools-ec2-1.7.3.0-2.1.amzn1.noarch

Updated packages:

tzdata-2019c.173.amzn1.noarch to tzdata-2020a-1.75.amzn1.noarch
tzdata-java-2019c-1.73.amzn1.noarch to tzdata-java-2020a-1.75.amzn1.noarch

Amazon Linux 2018.03.0.20200904.0

Major Updates: Update to AWS CLI, as well as CVE fixes for kernel, ruby, and python. Also contains a fix for rpm usage on systems which ulimit for file descriptors is greater than 1024.

Updated packages:

aws-cli-1.18.107-1.55.amzn1.noarch
kernel-4.14.193-113.317.amzn1.x86_64
kernel-devel-4.14.193-113.317.amzn1.x86_64
kernel-headers-4.14.193-113.317.amzn1.x86_64
kernel-tools-4.14.193-113.317.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
python27-2.7.18-2.139.amzn1.x86_64
python27-botocore-1.17.31-1.72.amzn1.noarch
python27-devel-2.7.18-2.139.amzn1.x86_64
python27-libs-2.7.18-2.139.amzn1.x86_64
python27-rsa-3.4.1-1.9.amzn1.noarch
rpm-4.11.3-40.77.amzn1.x86_64
rpm-build-libs-4.11.3-40.77.amzn1.x86_64
rpm-libs-4.11.3-40.77.amzn1.x86_64
rpm-python27-4.11.3-40.77.amzn1.x86_64
ruby20-2.0.0.648-1.33.amzn1.x86_64
ruby20-irb-2.0.0.648-1.33.amzn1.noarch
ruby20-libs-2.0.0.648-1.33.amzn1.x86_64
rubygem20-bigdecimal-1.2.0-1.33.amzn1.x86_64
rubygem20-json-1.8.3-1.53.amzn1.x86_64
rubygem20-psych-2.0.0-1.33.amzn1.x86_64
rubygems20-2.0.14.1-1.33.amzn1.noarch

Kernel update:

Rebase Kernel to upstream stable 4.14.193
Updated EFA to ver 1.9.0g
CVEs fixed
- CVE-2020-16166 [random32: update the net random state on interrupt and activity]
- CVE-2020-14386 [net/packet: fix overflow in tpacket_rcv]

Amazon Linux 2018.03.0.20200716.0

Note

Major Updates:

This AMI release comes with an updated aws-apitools-ec2 package which displays a warning as per the deprecation plan published at here

Updated Packages:

amazon-ssm-agent-2.3.1319.0-1.amzn1.x86_64
aws-apitools-ec2-1.7.3.0-2.1.amzn1.noarch
bash-4.2.46-34.43.amzn1.x86_64
initscripts-9.03.58-1.40.amzn1.x86_64
kernel-4.14.186-110.268.amzn1.x86_64
kernel-tools-4.14.186-110.268.amzn1.x86_64
ibcgroup-0.40.rc1-5.15.amzn1.x86_64
microcode_ctl-2.1-47.39.amzn1.x86_64

Kernel update:

Rebase kernel to upstream stable 4.14.186
Update ENA module to version 2.2.10
CVEs fixed
- CVE-2018-20669 [make 'user_access_begin()' do 'access_ok()']
- CVE-2019-19462 [kernel/relay.c: handle alloc_percpu returning NULL in relay_open]
- CVE-2020-0543 [addressed in microcode]
- CVE-2020-10732 [fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()]
- CVE-2020-10757 [mm: Fix mremap not considering huge pmd devmap]
- CVE-2020-10766 [x86/speculation: Prepare for per task indirect branch speculation control]
- CVE-2020-10767 [x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS]
- CVE-2020-10768 [x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches]
- CVE-2020-12771 [bcache: fix potential deadlock problem in btree_gc_coalesce]
- CVE-2020-12888 [vfio-pci: Invalidate mmaps and block MMIO access on disabled memory]
Fix disallowing holes in swap files [iomap: don't allow holes in swapfiles]
Fix populating cache information [ACPI/PPTT: Handle architecturally unknown cache types]
Fix memory leaks in vfio/pci [vfio/pci: fix memory leaks in alloc_perm_bits()]
Fix error handling in btrfs [btrfs: fix error handling when submitting direct I/O bio]
Fix race leading to null pointer dereference in ext4 [ext4: fix race between ext4_sync_parent() and rename()]
Fix null pointer dereference in ext4 [ext4: fix error pointer dereference]
Fix memory leak in slub allocator [mm/slub: fix a memory leak in sysfs_slab_add()]

Amazon Linux 2018.03.0.20200602.1

Major Updates:

Python 2.7 updated to most recent upstream version - 2.7.18.
Amazon Linux will continue to provide security fixes to Python 2.7 according to our Amazon Linux 1 (AL1) support timeline. See AL1 FAQs.
ca-certificates fix for Sectigo intermediate CA expiration
See this forum thread for more details.
New Kernel with fixes for five CVEs (see below)

Updated packages:

aws-cfn-bootstrap-1.4-32.23.amzn1
bind-libs-9.8.2-0.68.rc1.64.amzn1
bind-utils-9.8.2-0.68.rc1.64.amzn1
ca-certificates-2018.2.22-65.1.22.amzn1
kernel-4.14.181-108.257.amzn1
kernel-devel-4.14.181-108.257.amzn1
kernel-headers-4.14.181-108.257.amzn1
kernel-tools-4.14.181-108.257.amzn1
krb5-libs-1.15.1-46.48.amzn1
python27-2.7.18-1.137.amzn1
python27-devel-2.7.18-1.137.amzn1
python27-libs-2.7.18-1.137.amzn1

Kernel update:

Re-based kernel to upstream stable 4.14.181
Updated ENA module to version 2.2.8
CVEs fixed:
- CVE-2019-19319 [ext4: protect journal inode's blocks using block_validity]
- CVE-2020-10751 [selinux: properly handle multiple messages in selinux_netlink_send()]
- CVE-2020-1749 [net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup]
- CVE-2019-19768 [blktrace: Protect q->blk_trace with RCU]
- CVE-2020-12770 [scsi: sg: add sg_remove_request in sg_write]
Fix for a deadlock condition in xen-blkfront [xen-blkfront: Delay flush till queue lock dropped]
Fix for ORC unwinding [x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks]

2018.03.0.20200514 Update

Major updates:

cloud-init now supports IMDSv2
Kernel includes fix for Important ALAS: https://alas.aws.amazon.com/ALAS-2020-1366.html
Java ALAS: https://alas.aws.amazon.com/ALAS-2020-1365.html
AWS CLI was upgraded to 1.18.13-1.54

Updated packages:

aws-cli-1.18.13-1.54.amzn1
cloud-init-0.7.6-2.20.amzn1
ec2-net-utils-0.7-1.3.amzn1
ec2-utils-0.7-1.3.amzn1
expat-2.1.0-11.22.amzn1
java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1
kernel-4.14.177-107.254
libicu-50.2-4.0
libtirpc-0.2.4-0.16.15
python27-botocore-1.15.13-1.71
python27-colorama-0.4.1-4.8
yum-3.4.3-150.71

Kernel update:

Re-based Kernel to upstream stable 4.14.177
CVE-2020-10711 [netlabel: cope with NULL catmap]
CVE-2020-12826 [Extend exec_id to 64bits]
CVE-2020-12657 [block, bfq: fix use-after-free in bfq_idle_slice_timer_body]
CVE-2020-11565 [mm: mempolicy: require at least one nodeid for MPOL_PREFERRED]
CVE-2020-8648 [vt: selection, close sel_buffer race]
CVE-2020-1094 [vhost: Check docket sk_family instead of call getname]
CVE-2020-8649 [vgacon: Fix a UAF in vgacon_invert_region]
CVE-2020-8647 [vgacon: Fix a UAF in vgacon_invert_region]
CVE-2020-8648 [vt: selection, close sel_buffer race]
Divide by zero scheduler fix

Updated Kernel

The primary differences in between Amazon Linux 1 (AL1) version 2017.09 and Amazon Linux 1 (AL1) version 2018.03 is the inclusion of a newer kernel - Linux Kernel 4.14.

11/19/2018 Update: ENA driver updates: An ENA driver update that introduces Low Latency Queues (LLQ) for improved average and tail latencies. The update also adds support for receive checksum offload that improves CPU utilization.

Automation of security patching at scale with Amazon EC2 Systems Manager Patch Manager

Amazon EC2 Systems Manager Patch Manager supports Amazon Linux 1 (AL1). This enables automated patching of fleets of Amazon Linux 1 (AL1) Amazon EC2 instances. It can scan instances for missing patches and automatically install all missing patches.

Deprecated packages

gcc44
java-1.6.0-openjdk
mysql51
openssl097a
php53
php54
php55
php70
postgresql8
python26
ruby18
ruby19
ruby21
ruby22
tomcat6

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AL1 release notes

AL1 version 2017.09 release notes