Amazon Linux 2023 version 2023.8.20250908 release notes

The nodejs20-typescript-5.7.3-1.amzn2023.0.1 and nodejs22-typescript-5.7.3-1.amzn2023.0.1 packages bring the TypeScript compiler as globally installed node modules to the Node.js 20 and 22 runtimes respectively. Both packages support simultaneous installation. The default name of the tsc executable uses the Node.js runtime selected with the alternatives tool. The current configuration can be viewed with the "alternatives --display tsc" command. However, the namespaced executables (e.g., tsc-20 or tsc-22) will always use the corresponding Node.js runtime and can be run independently of the current alternatives selection.

Following the mitigation of CVE-2025-23048 in Apache httpd, some websites may experience a "Misdirected Request" error, especially if a web server operates behind a load balancer. Currently, this issue is particularly noticeable with Application Load Balancers, which, at this time, do not relay SNI data to the target server. Apache httpd used to allow clients to send requests without setting a server name in the SNI because the check wasn't accurate. However, this behavior changed in version 2.4.64. There are several known solutions and/or workarounds depending on the load balancer and its configuration. For more information, see the Apache bug tracker.

haproxy updated from 2.8.3 to 3.0.5 (LTS). Configuration remains broadly backward-compatible. Notable deltas in 3.0 include stricter HTTP/1 request-target parsing, a runtime API single-command requirement, rejection of the enabled keyword on dynamic servers, and the rename tune.ssl.oscp-update → tune.oscp-update. For more information, see the HAProxy 3.0 release notes.

Amazon Linux will stop evaluating and fixing CVEs for the redis6 package in Amazon Linux 2023 on 2026-01-31. This is an extension from the previous package support statement which stated that support for Redis 6 ends on 2025-08-31. With the release of Redis 8, upstream security support for Redis 6.2 will be ending in 2025. For migration instructions, see the migration guide.

krb5: The KDC will not issue tickets with RC4 session keys unless explicitly configured using the new allow_rc4 variable in [libdefaults]. This change resolves CVE-2025-3576.

For information on the CVEs addressed in this release, see the Amazon Linux Security Center.

For visibility into the status of CVEs that haven't been addressed yet, see the Amazon Linux Security Center.