search

aws / aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
https://aws.amazon.com/serverless/sam/
Apache License 2.0
6.5k stars 1.17k forks source link

Version 1.120.0 Affected by CVE-2024-5535 #7253

Open aldiaz3137 opened 2 months ago

aldiaz3137 commented 2 months ago

Description:

Authenticated vulnerability scans are detecting the latest version as being vulnerable to CVE-2024-5535 related to OpenSSL verison 1.1.1w.

Tenable Nessus Agent reports the following:

Path : /usr/local/aws-sam-cli/dist/_internal/libcrypto.so.1.1 Reported version : 1.1.1w Fixed version : 1.1.1za

Path : /usr/local/aws-sam-cli/dist/_internal/libssl.so.1.1 Reported version : 1.1.1w Fixed version : 1.1.1za

jysheng123 commented 2 months ago

Thanks for bringing this up to our attention, we are now in the process of bumping our teams openSSL version. Thanks

hnnasit commented 3 weeks ago

OpenSSL version was bumped to 3.3.1 in the SAM CLI version 1.122.0. Closing as the CVE has been fixed.

github-actions[bot] commented 3 weeks ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.