Important: python

Issue Overview: There is a defect in the CPython "tarfile" module affecting the "TarFile" extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously...

Amazon Linux 2 : webkitgtk4 (ALAS-2025-2970)

The version of webkitgtk4 installed on the remote host is prior to 2.48.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2970 advisory. A cookie management issue was addressed with improved state management. This issue is fixed in watchOS 11, macOS Sequo...

Amazon Linux 2 : gstreamer-plugins-bad-free (ALAS-2025-2972)

The version of gstreamer-plugins-bad-free installed on the remote host is prior to 0.10.23-42. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2972 advisory. Integer overflow leading to heap overwrite in MXF file handling with uncompressed video NOTE:...

Amazon Linux 2 : libtiff (ALAS-2025-2965)

The version of libtiff installed on the remote host is prior to 4.0.3-35. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2965 advisory. A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the functi...

Amazon Linux 2 : python (ALAS-2025-2961)

The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2961 advisory. There is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration APIs. The tar implementation...

Amazon Linux 2 : gstreamer1-plugins-good (ALAS-2025-2964)

The version of gstreamer1-plugins-good installed on the remote host is prior to 1.18.4-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2964 advisory. GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files...

Amazon Linux 2 : edk2 (ALAS-2025-2975)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2975 advisory. EDK2 contains a vulnerability in BIOS where an attacker may cause Protection Mechanism Failure by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impa...

Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2025-009 (ALASNGINX1-2025-009)

The version of nginx installed on the remote host is prior to 1.28.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2025-009 advisory. NGINX Open Source and NGINX Plus have a vulnerability in the ngxmailsmtpmodule that might allow an unauthenticated attacker to...

Medium: gstreamer-plugins-bad-free

Issue Overview: Integer overflow leading to heap overwrite in MXF file handling with uncompressed video NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0006.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/mergerequests/5362 NOTE: Fixed by:...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2025-097)

The version of kernel installed on the remote host is prior to 5.10.238-234.956. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2025-097 advisory. In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: fix -anonvma race...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.15-2025-087 (ALASKERNEL-5.15-2025-087)

The version of kernel installed on the remote host is prior to 5.15.189-131.206. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2025-087 advisory. In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.10-2025-101 (ALASKERNEL-5.10-2025-101)

The version of kernel installed on the remote host is prior to 5.10.240-238.959. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2025-101 advisory. In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.4-2025-106 (ALASKERNEL-5.4-2025-106)

The version of kernel installed on the remote host is prior to 5.4.296-217.427. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2025-106 advisory. In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in...

Medium: thunderbird

Issue Overview: There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVE-2025-6965 Affected Packages:...

Medium: ruby

Issue Overview: The attack vector is a potential Denial of Service DoS. The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in devparseheaderprotocol when skb-dev is null CVE-2022-50073 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix a server shutdown leak CVE-2023-53131 ...

Low: kernel

Issue Overview: No CVE associated with this advisory Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.10 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories...

Low: kernel

Issue Overview: No CVE associated with this advisory Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.15 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories...

Medium: php

Issue Overview: fsockopen doesn't regard hostname as well, hostname is terminated at the null byte. This can cause Server Side Request Forgery in general case. CVE-2025-1220 Missing error checking could result in SQL injection and missing error handling could lead to crashes due to null pointer...

Important: unbound

Issue Overview: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet ECS. Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along wit...