You can find product details on the Amazon Linux AMI page.

Amazon Linux 2018.03.0.20211201.0 Update

Major Updates: 

  • Updated nss to fix CVE-2021-43527. NSS (Network Security Services) up to and including 3.73 is vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. When verifying a DER-encoded signature, NSS decodes the signature into a fixed-size buffer and passes the buffer to the underlying PKCS \#11 module. The length of the signature is not correctly checked when processing DSA and RSA-PSS signatures. DSA and RSA-PSS signatures larger than 16384 bits will overflow the buffer in VFYContextStr. The vulnerable code is located within secvfy.c:vfy_CreateContext. (CVE-2021-43527)

Updated Packages:

• ss-3.53.1-7.87.amzn1.x86_64
• nss-sysinit-3.53.1-7.87.amzn1.x86_64
• nss-tools-3.53.1-7.87.amzn1.x86_64

Kernel Updates:
  • None

Amazon Linux 2018.03.0.20211111.0 Update

Major Updates: None

Updated Packages:

• curl-7.61.1-12.100.amzn1.x86_64
• kernel-4.14.252-131.483.amzn1.x86_64
• kernel-devel-4.14.252-131.483.amzn1.x86_64
• kernel-headers-4.14.252-131.483.amzn1.x86_64
• kernel-tools-4.14.252-131.483.amzn1.x86_64
• libcurl-7.61.1-12.100.amzn1.x86_64
• openssl-1.0.2k-16.155.amzn1.x86_64

Kernel Updates: 

  • Rebase kernel to upstream stable 4.14.252
  • CVEs Fixed:
    • CVE-2021-37159 [usb: hso: fix error handling code of hso_create_net_device]
    • CVE-2021-3744 [crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()]
    • CVE-2021-3764 [crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()]
    • CVE-2021-20317 [lib/timerqueue: Rely on rbtree semantics for next timer]
    • CVE-2021-20321 [ovl: fix missing negative dentry check in ovl_rename()]
    • CVE-2021-41864 [bpf: Fix integer overflow in prealloc_elems_and_freelist()]
  • Amazon Features & Backports:
    • Enable nitro-enclaves driver for arm64
  • Other Fixes:
    • md: fix a lock order reversal in md_alloc
    • arm64: Mark stack_chk_guard as ro_after_init
    • cpufreq: schedutil: Use kobject release() method to free sugov_tunables
    • cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
    • ext4: fix potential infinite loop in ext4_dx_readdir()
    • nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero
    • net_sched: fix NULL deref in fifo_set_limit()
    • perf/x86: Reset destroy callback on event init failure
    • virtio: write back F_VERSION_1 before validate

Amazon Linux 2018.03.0.20211015.1 Update

Major Updates: None

Updated Packages:

• kernel-4.14.248-129.473.amzn1.x86_64
• kernel-devel-4.14.248-129.473.amzn1.x86_64
• kernel-headers-4.14.248-129.473.amzn1.x86_64
• kernel-tools-4.14.248-129.473.amzn1.x86_64
• openssl-1.0.2k-16.154.amzn1.x86_64

Kernel Updates: 

  • Rebase kernel to upstream stable 4.14.248
  • CVEs Fixed:
    • CVE-2020-16119 [dccp: don't duplicate ccid when cloning dccp sock]
    • CVE-2021-40490 [ext4: fix race writing to an inline_data file while its xattrs are changing]
    • CVE-2021-42252 [soc: aspeed: lpc-ctrl: Fix boundary check for mmap]
  • Amazon Features & Backports:
  • Other Fixes:
    • mm/kmemleak.c: make cond_resched() rate-limiting more efficient
    • mm/page_alloc: speed up the iteration of max_order
    • tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos
    • KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted
    • cifs: fix wrong release in sess_alloc_buffer() failed path
    • rcu: Fix missed wakeup of exp_wq waiters

Amazon Linux 2018.03.0.20211001.0 Update

Major Updates:
• Update of ca-certificates to version 2018.2.22-65.1.24.amzn1, which addresses the expiring IdentTrust DST Root CA X3, which affected some Let’s Encrypt TLS certificates. The effect of the expiring certificate would be an inability of OpenSSL to validate impacted certificates issued by Let’s Encrypt. Impacted customers may have experienced connection or certificate errors when attempting to connect to certain websites or APIs that use Let's Encrypt certificates

Updated Packages:
• ca-certificates-2018.2.22-65.1.24.amzn1.noarch
• curl-7.61.1-12.99.amzn1.x86_64
• glib2-2.36.3-5.22.amzn1.x86_64
• glibc-2.17-324.188.amzn1.x86_64
• glibc-common-2.17-324.188.amzn1.x86_64
• libcurl-7.61.1-12.99.amzn1.x86_64

Kernel Updates: None

Amazon Linux 2018.03.0.20210721.0 Update

Major Updates: None

Updated Packages:

• amazon-ssm-agent-3.0.1124.0-1.amzn1.x86_64
• bind-libs-9.8.2-0.68.rc1.87.amzn1.x86_64
• bind-utils-9.8.2-0.68.rc1.87.amzn1.x86_64
• curl-7.61.1-12.98.amzn1.x86_64
• dhclient-4.1.1-53.P1.29.amzn1.x86_64
• dhcp-common-4.1.1-53.P1.29.amzn1.x86_64
• glibc-2.17-322.181.amzn1.x86_64
• glibc-common-2.17-322.181.amzn1.x86_64
• glibc-devel-2.17-322.181.amzn1.x86_64
• glibc-headers-2.17-322.181.amzn1.x86_64
• kernel-4.14.238-125.422.amzn1.x86_64
• kernel-devel-4.14.238-125.422.amzn1.x86_64
• kernel-headers-4.14.238-125.422.amzn1.x86_64
• kernel-tools-4.14.238-125.422.amzn1.x86_64
• libX11-1.6.0-2.2.14.amzn1.x86_64
• libX11-common-1.6.0-2.2.14.amzn1.x86_64
• libcurl-7.61.1-12.98.amzn1.x86_64
• nspr-4.25.0-2.45.amzn1.x86_64
• nss-3.53.1-7.85.amzn1.x86_64
• nss-softokn-3.53.1-6.46.amzn1.x86_64
• nss-softokn-freebl-3.53.1-6.46.amzn1.x86_64
• nss-sysinit-3.53.1-7.85.amzn1.x86_64
• nss-tools-3.53.1-7.85.amzn1.x86_64
• nss-util-3.53.1-1.58.amzn1.x86_64
• rpm-4.11.3-40.79.amzn1.x86_64
• rpm-build-libs-4.11.3-40.79.amzn1.x86_64
• rpm-libs-4.11.3-40.79.amzn1.x86_64
• rpm-python27-4.11.3-40.79.amzn1.x86_64
• tzdata-2021a-1.79.amzn1.noarch
• tzdata-java-2021a-1.79.amzn1.noarch
• update-motd-1.0.1-3.1.amzn1.noarch

Kernel Updates:

  • Rebase kernel to upstream stable 4.14.238
  • Amazon EFA Driver: update to version v1.12.1
  • CVEs Fixed:
    • CVE-2021-32399 [bluetooth: eliminate the potential race condition when removing the HCI controller]
    • CVE-2021-33034 [Bluetooth: verify AMP hci_chan before amp_destroy]
    • CVE-2020-26558 [Bluetooth: SMP: Fail if remote and local public keys are identical]
    • CVE-2021-0129 [Bluetooth: SMP: Fail if remote and local public keys are identical]
    • CVE-2020-24586 [mac80211: prevent mixed key and fragment cache attacks]
    • CVE-2020-24587 [mac80211: prevent mixed key and fragment cache attacks]
    • CVE-2020-24588 [cfg80211: mitigate A-MSDU aggregation attacks]
    • CVE-2020-26139 [mac80211: do not accept/forward invalid EAPOL frames]
    • CVE-2020-26147 [mac80211: assure all fragments are encrypted]
    • CVE-2021-29650 [netfilter: x_tables: Use correct memory barriers.]
    • CVE-2021-3564 [Bluetooth: fix the erroneous flush_work() order]\
    • CVE-2021-3573 [Bluetooth: use correct lock to prevent UAF of hdev object]
    • CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect]
    • CVE-2021-34693 [can: bcm: fix infoleak in struct bcm_msg_head]
    • CVE-2021-33624 [bpf: Inherit expanded/patched seen count from old aux data]
    • CVE-2021-33909 [seq_file: disallow extremely large seq buffer allocations]
  • Amazon Features & Backports:
    • arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419
    • arm64/errata: add REVIDR handling to framework
    • arm64/kernel: enable A53 erratum #8434319 handling at runtime
    • arm64: fix undefined reference to 'printk'
    • arm64/kernel: rename module_emit_adrp_veneer→module_emit_veneer_for_adrp
    • arm64/kernel: kaslr: reduce module randomization range to 4 GB
    • Revert "arm64: acpi/pci: invoke _DSM whether to preserve firmware PCI setup"
    • PCI/ACPI: Evaluate PCI Boot Configuration _DSM
    • PCI: Don't auto-realloc if we're preserving firmware config
    • arm64: PCI: Allow resource reallocation if necessary
    • arm64: PCI: Preserve firmware configuration when desired
    • bpf: fix subprog verifier bypass by div/mod by 0 exception
    • bpf, x86_64: remove obsolete exception handling from div/mod
    • bpf, arm64: remove obsolete exception handling from div/mod
    • bpf, s390x: remove obsolete exception handling from div/mod
    • bpf, ppc64: remove obsolete exception handling from div/mod
    • bpf, sparc64: remove obsolete exception handling from div/mod
    • bpf, mips64: remove obsolete exception handling from div/mod
    • bpf, mips64: remove unneeded zero check from div/mod with k
    • bpf, arm: remove obsolete exception handling from div/mod
    • bpf: Fix 32 bit src register truncation on div/mod
    • bpf: Inherit expanded/patched seen count from old aux data
    • bpf: Do not mark insn as seen under speculative path verification
    • bpf: Fix leakage under speculation on mispredicted branches
    • seq_file: disallow extremely large seq buffer allocations

Amazon Linux 2018.03.0.20210521.1 Update

Major Updates: None

Updated Packages:

• kernel-4.14.232-123.381.amzn1.x86_64
• kernel-devel-4.14.232-123.381.amzn1.x86_64
• kernel-headers-4.14.232-123.381.amzn1.x86_64
• kernel-tools-4.14.232-123.381.amzn1.x86_64
• nvidia-418.197.02-2018.03.117.amzn1.x86_64
• nvidia-dkms-418.197.02-2018.03.117.amzn1.x86_64
• ruby20-
• ruby20-irb-
• ruby20-libs-
• rubygem20-bigdecimal-1.2.0-2.40.amzn1.x86_64
• rubygem20-psych-2.0.0-2.40.amzn1.x86_64
• rubygems20-
• xorg-x11-server-Xorg-1.17.4-18.44.amzn1.x86_64
• xorg-x11-server-common-1.17.4-18.44.amzn1.x86_64

Kernel Update:

  • Rebase kernel to upstream stable 4.14.232
  • lustre: update to AmazonFSxLustreClient v2.10.8-7
  • CVEs Fixed:
    • CVE-2020-29374 [gup: document and work around "COW can break either way" issue]
    • CVE-2021-23133 [net/sctp: fix race condition in sctp_destroy_sock]
  • Amazon Features & Backports:
    • bpf: fix up selftests after backports were fixed
    • bpf, selftests: Fix up some test_verifier cases for unprivileged
    • bpf: Move off_reg into sanitize_ptr_alu
    • bpf: Ensure off_reg has no mixed signed bounds for all types
    • bpf: Rework ptr_limit into alu_limit and add common error path
    • bpf: Improve verifier error messages for users
    • bpf: Refactor and streamline bounds check into helper
    • bpf: Move sanitize_val_alu out of op switch
    • bpf: Tighten speculative pointer arithmetic mask
    • bpf: Update selftests to reflect new error states
    • bpf: do not allow root to mangle valid pointers
    • bpf/verifier: disallow pointer subtraction
    • selftests/bpf: fix test_align
    • selftests/bpf: make 'dubious pointer arithmetic' test useful
    • bpf: Fix masking negation logic upon negative dst register
    • bpf: Fix leakage of uninitialized bpf stack under speculation
    • Revert "net/sctp: fix race condition in sctp_destroy_sock"
    • sctp: delay auto_asconf init until binding the first addr
    • cifs: fix panic in smb2_reconnect

• Other Fixes:

  • arm64: fix inline asm in load_unaligned_zeropad()
  • ext4: correct error label in ext4_rename()
  • x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access 

Amazon Linux 2018.03.0.20210408.0 Update

Major Updates:

  • iptables has been updated form 1.4.18 to 1.4.21

Updated Packages:


Amazon Linux 2018.03.0.20210319.0 Update

Major Updates:

  • No major updates. Reminder that AL1 is in Maintenance Support.

Updated Packages:


Kernel Update:

  • Rebase kernel to upstream stable 4.14.225
  • CVEs Fixed:
    • CVE-2021-26930 [xen-blkback: fix error handling in xen_blkbk_map()]
    • CVE-2021-26931 [xen-blkback: don't "handle" error by BUG()]
    • CVE-2021-26932 [Xen/x86: don't bail early from clear_foreign_p2m_mapping()]
    • CVE-2021-27363 [scsi: iscsi: Restrict sessions and handles to admin capabilities]
    • CVE-2021-27364 [scsi: iscsi: Restrict sessions and handles to admin capabilities]
    • CVE-2021-27365 [scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE]
    • CVE-2021-28038 [Xen/gnttab: handle p2m update errors on a per-slot basis]
  • Amazon Features & Backports:
    • arm64: kaslr: Refactor early init command line parsing
    • arm64: Extend the kernel command line from the bootloader
    • arm64: Export acpi_psci_use_hvc() symbol
    • hwrng: Add Gravition RNG driver
    • iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu
    • x86/x2apic: Mark set_x2apic_phys_mode() as init
    • x86/apic: Deinline x2apic functions
    • x86/apic: Fix x2apic enablement without interrupt remapping
    • x86/msi: Only use high bits of MSI address for DMAR unit
    • x86/io_apic: Reevaluate vector configuration on activate()
    • x86/ioapic: Handle Extended Destination ID field in RTE
    • x86/apic: Support 15 bits of APIC ID in MSI where availabl
    • x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID
    • x86/kvm: Enable 15-bit extension when KVM_FEATURE_MSI_EXT_DEST_ID detected
    • arm64: HWCAP: add support for AT_HWCAP2
    • arm64: HWCAP: encapsulate elf_hwcap
    • arm64: Implement archrandom.h for ARMv8.5-RNG
    • mm: memcontrol: fix NR_WRITEBACK leak in memcg and system stats
    • mm: memcg: make sure is uptodate when waking pollers
    • mem_cgroup: make sure moving_account, move_lock_task and stat_cpu in the same cacheline
    • mm: fix oom_kill event handling
    • mm: writeback: use exact memcg dirty counts
  • Other Fixes:
    • net_sched: reject silly cell_log in qdisc_get_rtab()
    • x86: always_inline {rd,wr}msr()
    • net: lapb: Copy the skb before sending a packet
    • ipv4: fix race condition between route lookup and invalidation
    • mm: hugetlb: fix a race between isolating and freeing page
    • mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
    • mm: thp: fix MADV_REMOVE deadlock on shmem THP
    • x86/apic: Add extra serialization for non-serializing MSRs
    • iommu/vt-d: Do not use flush-queue when caching-mode is on
    • fgraph: Initialize tracing_graph_pause at task creation
    • ARM: ensure the signal page contains defined contents
    • kvm: check tlbs_dirty directly
    • ext4: fix potential htree index checksum corruption
    • mm/memory.c: fix potential pte_unmap_unlock pte error
    • mm/hugetlb: fix potential double free in hugetlb_register_node() error path
    • arm64: Add missing ISB after invalidating TLB in primary_switch
    • mm/rmap: fix potential pte_unmap on an not mapped pte
    • x86/reboot: Force all cpus to exit VMX root if VMX is supported
    • mm: hugetlb: fix a race between freeing and dissolving the page
    • arm64 module: set plt* section addresses to 0x0
    • xfs: Fix assert failure in xfs_setattr_size()

Amazon Linux 2018.03.0.20210224.0 Update

Major Updates: None

Updated Packages:


Kernel Update:

  • Rebase kernel to upstream stable 4.14.219
  • CVEs Fixed:
    • CVE-2020-28374 [scsi: target: Fix XCOPY NAA identifier lookup]
    • CVE-2021-3178 [nfsd4: readdirplus shouldn't return parent of export]
    • CVE-2020-27825 [tracing: Fix race in trace_open and buffer resize call]
    • CVE-2021-3347 [futex: Ensure the correct return value from futex_lock_pi()]
    • CVE-2021-3348 [nbd: freeze the queue while we're adding connections]
  • Backported Fixes:
    • NFS: Do uncached readdir when we're seeking a cookie in an empty page cache
  • Other Fixes:
    • virtio_net: Fix recursive call to cpus_read_lock()
    • net-sysfs: take the rtnl lock when storing xps_cpus
    • net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered
    • vhost_net: fix ubuf refcount incorrectly when sendmsg fails
    • net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc
    • crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
    • x86/mm: Fix leak of pmd ptlock
    • KVM: x86: fix shift out of bounds reported by UBSAN
    • net: ip: always refragment ip defragmented packets
    • x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR
    • x86/resctrl: Don't move a task to the same resource group
    • cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get()
    • iommu/intel: Fix memleak in intel_irq_remapping_alloc
    • KVM: arm64: Don't access PMCR_EL0 when no PMU is available
    • mm/hugetlb: fix potential missing huge page size info
    • dm snapshot: flush merged data before committing metadata
    • ext4: fix bug for rename with RENAME_WHITEOUT
    • NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock
    • ext4: fix superblock checksum failure when setting password salt
    • mm, slub: consider rest of partial list if acquire_slab() fails
    • rxrpc: Fix handling of an unsupported token type in rxrpc_read()
    • tipc: fix NULL deref in tipc_link_xmit()
    • net: use skb_list_del_init() to remove from RX sublists
    • net: introduce skb_list_walk_safe for skb segment walking
    • dm: avoid filesystem lookup in dm_get_dev_t()
    • skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
    • tracing: Fix race in trace_open and buffer resize call
    • x86/boot/compressed: Disable relocation relaxation
    • nbd: freeze the queue while we're adding connections
    • KVM: x86: get smi pending status correctly
    • x86/entry/64/compat: Preserve r8-r11 in int $0x80
    • x86/entry/64/compat: Fix x86/entry/64/compat: Preserve r8-r11 in int $0x80

Amazon Linux 2018.03.0.20210126.0 Update

Major Updates: None

Updated Packages:

Kernel Update

  •  Rebase kernel to upstream stable 4.14.214
  • CVEs Fixed:
    • CVE-2019-19813 [btrfs: inode: Verify inode mode to avoid NULL pointer dereference]
    • CVE-2019-19816 [btrfs: inode: Verify inode mode to avoid NULL pointer dereference]
    • CVE-2020-29661 [tty: Fix ->pgrp locking in tiocspgrp()]
    • CVE-2020-29660 [tty: Fix ->session locking]
    • CVE-2020-27830 [speakup: Reject setting the speakup line discipline outside of speakup]
    • CVE-2020-27815 [jfs: Fix array index bounds check in dbAdjTree]
    • CVE-2020-29568 [xen/xenbus: Allow watches discard events before queueing]
    • CVE-2020-29569 [xen-blkback: set ring->xenblkd to NULL after kthread_stop()]
  • Backported Fixes:
    • SMB3: Add support for getting and setting SACLs
      Add SMB 2 support for getting and setting SACLs
  • Other Fixes:
    • mm: memcontrol: fix excessive complexity in memory.stat reporting
    • PCI: Fix pci_slot_release() NULL pointer dereference
    • ext4: fix deadlock with fs freezing and EA inodes
    • ext4: fix a memory leak of ext4_free_data
    • sched/deadline: Fix sched_dl_global_validate()
    • cifs: fix potential use-after-free in cifs_echo_request()
    • btrfs: fix return value mixup in btrfs_get_extent
    • btrfs: fix lockdep splat when reading qgroup config on mount

Amazon Linux 2018.03.0.20201209.1 Update 

Major Updates: Security updates to curl, openssl, and python27.

Updated packages:


Kernel update

  • Rebase kernel to upstream stable 4.14.203
  • CVEs Fixed:
    • CVE-2020-12352 [Bluetooth: A2MP: Fix not initializing all members]
    • CVE-2020-12351 [Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel]
    • CVE-2020-24490 [Bluetooth: fix kernel oops in store_pending_adv_report]
    • CVE-2020-25211 [netfilter: ctnetlink: add a range check for l3/l4 protonum]
    • CVE-2020-0423 [binder: fix UAF when releasing todo list]
    • CVE-2020-14386 [net/packet: fix overflow in tpacket_rcv]
  •  Other fixes:
    • Soft lockup Issue during writeback in presence of memory reclaim
    • Fix CIFS trailing characters

Amazon Linux 2018.03.0.20201028.0 Update

Major Updates: None

Updated packages:
amazon-ssm-agent: 2.3.1319.0-1. →
aws-cfn-bootstrap: 1.4-32.23. → 1.4-34.24.
kernel: 4.14.193-113.317. → 4.14.200-116.320.
kernel-devel: 4.14.193-113.317. → 4.14.200-116.320.
kernel-headers: 4.14.193-113.317. → 4.14.200-116.320.
kernel-tools: 4.14.193-113.317. → 4.14.200-116.320.
libxml2: 2.9.1-6.4.40. → 2.9.1-6.4.41.
libxml2-python27: 2.9.1-6.4.40. → 2.9.1-6.4.41.
ntp: 4.2.8p12-1.41. → 4.2.8p15-1.44.
ntpdate: 4.2.8p12-1.41. → 4.2.8p15-1.44.
rpm: 4.11.3-40.77. → 4.11.3-40.78.
rpm-build-libs: 4.11.3-40.77. → 4.11.3-40.78.
rpm-libs: 4.11.3-40.77. → 4.11.3-40.78.
rpm-python27: 4.11.3-40.77. → 4.11.3-40.78.
tzdata: 2019c-1.73. → 2020a-1.75.
tzdata-java: 2019c-1.73. → 2020a-1.75.tzdata-2019c.173.amzn1.noarch → tzdata-2020a-1.75.amzn1.noarch

Kernel update:

  • Rebase kernel to upstream stable 4.14.200
  • CVEs Fixed:
    • CVE-2019-19448 [btrfs: only search for left_info if there is no right_info in try_merge_free_space]
    • CVE-2020-25212 [nfs: Fix getxattr kernel panic and memory overflow]
    • CVE-2020-14331 [vgacon: Fix for missing check in scrollback handling]
    • CVE-2020-14314 [ext4: fix potential negative array index in do_split()]
    • CVE-2020-25285 [mm/hugetlb: fix a race between hugetlb sysctl handlers]
    • CVE-2020-25641 [block: allow for_each_bvec to support zero len bvec]
    • CVE-2020-25211 [netfilter: ctnetlink: add a range check for l3/l4 protonum]
    • CVE-2020-12888 [vfio-pci: Invalidate mmaps and block MMIO access on disabled memory]
    • CVE-2020-25284 [rbd: require global CAP_SYS_ADMIN for mapping and unmapping]
    • CVE-2020-14390 [fbcon: remove soft scrollback code]
    • CVE-2020-25645 [geneve: add transport ports in route lookup for geneve]
  • Other fixes:
    • nfs: optimise readdir cache page invalidation
    • nfs: Fix security label length not being reset

Amazon Linux 2018.03.0.20200918.0 Update

Major Updates:
removed aws-api-tools-ec2-

Updated packages:
tzdata-2019c.173.amzn1.noarch → tzdata-2020a-1.75.amzn1.noarch, tzdata-java-2019c-1.73.amzn1.noarch → tzdata-java-2020a-1.75.amzn1.noarch

Kernel update:
no update

Amazon Linux - 2018.03.0.20200904.0 Update

Major Updates:

Update to AWS CLI, as well as CVE fixes for kernel, ruby, and python. Also contains a fix for rpm usage on systems which ulimit for file descriptors is greater than 1024.

Updated packages:

aws-cli-1.18.107-1.55.amzn1.noarch kernel-4.14.193-113.317.amzn1.x86_64 kernel-devel-4.14.193-113.317.amzn1.x86_64 kernel-headers-4.14.193-113.317.amzn1.x86_64 kernel-tools-4.14.193-113.317.amzn1.x86_64 libxml2-2.9.1-6.4.40.amzn1.x86_64 libxml2-python27-2.9.1-6.4.40.amzn1.x86_64 python27-2.7.18-2.139.amzn1.x86_64 python27-botocore-1.17.31-1.72.amzn1.noarch python27-devel-2.7.18-2.139.amzn1.x86_64 python27-libs-2.7.18-2.139.amzn1.x86_64 python27-rsa-3.4.1-1.9.amzn1.noarch rpm-4.11.3-40.77.amzn1.x86_64 rpm-build-libs-4.11.3-40.77.amzn1.x86_64 rpm-libs-4.11.3-40.77.amzn1.x86_64 rpm-python27-4.11.3-40.77.amzn1.x86_64 ruby20- ruby20-irb- ruby20-libs- rubygem20-bigdecimal-1.2.0-1.33.amzn1.x86_64 rubygem20-json-1.8.3-1.53.amzn1.x86_64 rubygem20-psych-2.0.0-1.33.amzn1.x86_64 rubygems20-

Kernel update:

  • Rebase Kernel to upstream stable 4.14.193
  • Updated EFA to ver 1.9.0g
  • CVEs fixed
    • CVE-2020-16166 [random32: update the net random state on interrupt and activity]
    • CVE-2020-14386 [net/packet: fix overflow in tpacket_rcv]

Amazon Linux - 2018.03.0.20200716.0 Update

Major Updates:

This AMI release comes with an updated aws-apitools-ec2 package which displays a warning as per the deprecation plan published at

Updated Packages: a, amazon-ssm-agent-2.3.1319.0-1.amzn1.x86_64, aws-apitools-ec2-, bash-4.2.46-34.43.amzn1.x86_64, initscripts-9.03.58-1.40.amzn1.x86_64, kernel-4.14.186-110.268 (tel:14186110268).amzn1.x86_64, kernel-tools-4.14.186-110.268 (tel:14186110268).amzn1.x86_64, ibcgroup-0.40.rc1-5.15.amzn1.x86_64, microcode_ctl-2.1-47.39.amzn1.x86_64

Kernel update:

  • Rebase kernel to upstream stable 4.14.186
  • Update ENA module to version 2.2.10
  • CVEs fixed
    • CVE-2018-20669 [make 'user_access_begin()' do 'access_ok()']
    • CVE-2019-19462 [kernel/relay.c: handle alloc_percpu returning NULL in relay_open]
    • CVE-2020-0543 [addressed in microcode]
    • CVE-2020-10732 [fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()]
    • CVE-2020-10757 [mm: Fix mremap not considering huge pmd devmap]
    • CVE-2020-10766 [x86/speculation: Prepare for per task indirect branch speculation control]
    • CVE-2020-10767 [x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS]
    • CVE-2020-10768 [x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches]
    • CVE-2020-12771 [bcache: fix potential deadlock problem in btree_gc_coalesce]
    • CVE-2020-12888 [vfio-pci: Invalidate mmaps and block MMIO access on disabled memory]
  • Fix disallowing holes in swap files [iomap: don't allow holes in swapfiles]
  • Fix populating cache information [ACPI/PPTT: Handle architecturally unknown cache types]
  • Fix memory leaks in vfio/pci [vfio/pci: fix memory leaks in alloc_perm_bits()]
  • Fix error handling in btrfs [btrfs: fix error handling when submitting direct I/O bio]
  • Fix race leading to null pointer dereference in ext4 [ext4: fix race between ext4_sync_parent() and rename()]
  • Fix null pointer dereference in ext4 [ext4: fix error pointer dereference]
  • Fix memory leak in slub allocator [mm/slub: fix a memory leak in sysfs_slab_add()]

Amazon Linux - 2018.03.0.20200602.1 Update

Major Updates:

Updated packages: aws-cfn-bootstrap-1.4-32.23.amzn1, bind-libs-9.8.2-0.68.rc1.64.amzn1, bind-utils-9.8.2-0.68.rc1.64.amzn1, ca-certificates-2018.2.22-65.1.22.amzn1, kernel-4.14.181-108.257.amzn1, kernel-devel-4.14.181-108.257.amzn1, kernel-headers-4.14.181-108.257.amzn1, kernel-tools-4.14.181-108.257.amzn1, krb5-libs-1.15.1-46.48.amzn1, python27-2.7.18-1.137.amzn1, python27-devel-2.7.18-1.137.amzn1, python27-libs-2.7.18-1.137.amzn1

Kernel update:

  • Re-based kernel to upstream stable 4.14.181
  • Updated ENA module to version 2.2.8
  • CVE’s fixed
    • CVE-2019-19319 [ext4: protect journal inode's blocks using block_validity]
    • CVE-2020-10751 [selinux: properly handle multiple messages in selinux_netlink_send()]
    • CVE-2020-1749 [net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup]
    • CVE-2019-19768 [blktrace: Protect q->blk_trace with RCU]
    • CVE-2020-12770 [scsi: sg: add sg_remove_request in sg_write]
  • Fix for a deadlock condition in xen-blkfront [xen-blkfront: Delay flush till queue lock dropped]
  • Fix for ORC unwinding [x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks]

Amazon Linux AMI - 2018.03.0.20200514 Update

Major updates:

Updated packages: aws-cli-1.18.13-1.54.amzn1, cloud-init-0.7.6-2.20.amzn1, ec2-net-utils-0.7-1.3.amzn1, ec2-utils-0.7-1.3.amzn1, expat-2.1.0-11.22.amzn1, java-1.7.0-openjdk-, kernel-4.14.177-107.254, libicu-50.2-4.0, libtirpc-0.2.4-0.16.15, python27-botocore-1.15.13-1.71, python27-colorama-0.4.1-4.8, yum-3.4.3-150.71

Kernel update: 

  1. Re-based Kernel to upstream stable 4.14.177
  2. CVE’s fixed
  3. CVE-2020-10711 [netlabel: cope with NULL catmap]
  4. CVE-2020-12826 [Extend exec_id to 64bits]
  5. CVE-2020-12657 [block, bfq: fix use-after-free in bfq_idle_slice_timer_body]
  6. CVE-2020-11565 [mm: mempolicy: require at least one nodeid for MPOL_PREFERRED]
  7. CVE-2020-8648 [vt: selection, close sel_buffer race]
  8. CVE-2020-1094 [vhost: Check docket sk_family instead of call getname]
  9. CVE-2020-8649 [vgacon: Fix a UAF in vgacon_invert_region]
  10. CVE-2020-8647 [vgacon: Fix a UAF in vgacon_invert_region]
  11. CVE-2020-8648 [vt: selection, close sel_buffer race]
  12. Divide by zero scheduler fix

11/19/2018 Update

ENA driver updates: An ENA driver update that introduces Low Latency Queues (LLQ) for improved average and tail latencies. The update also adds support for receive checksum offload that improves CPU utilization.

The primary differences in between Amazon Linux AMI 2017.09 and Amazon Linux AMI 2018.03 is the inclusion of a newer kernel - Linux Kernel 4.14.

AWS Systems Manager Patch Manager support Amazon Linux AMI. This enables automated patching of fleets of Amazon Linux AMI EC2 instances. It can scan instances for missing patches and automatically install all missing patches.

To upgrade to Amazon Linux AMI 2018.03 from Amazon Linux AMI 2011.09 or later, run sudo yum clean all followed by sudo yum update. When the upgrade is complete, reboot your instance.

The Amazon Linux AMI repositories provided updates that allow you to roll from one version of the Amazon Linux AMI to the next.











ruby18 r





Subscribe to Amazon Linux AMI Notifications