Medium: haproxy2

Issue Overview: HAProxy before 2.8.2 accepts as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a pathend rule, such as routing index.html.png to a static server. CVE-2023-45539 Affected...

Medium: dmidecode

Issue Overview: Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. CVE-2023-30630 Affected Packages: dmidecode Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Vis...

Medium: libXpm

Issue Overview: A vulnerability was found in libX11 due to an infinite loop within the PutSubImage function. This flaw allows a local user to consume all available system resources and cause a denial of service condition. CVE-2023-43786 Affected Packages: libXpm Note: This advisory is applicable ...

Medium: samba

Issue Overview: When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still...

Important: gstreamer1-plugins-bad-free

Issue Overview: gstreamer: AV1 codec parser heap-based buffer overflow CVE-2023-44429 gstreamer: MXF demuxer use-after-free vulnerability CVE-2023-44446 Affected Packages: gstreamer1-plugins-bad-free Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section f...

Medium: jettison

Issue Overview: Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks DOS. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of servic...

Low: uriparser

Issue Overview: An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. CVE-2021-46142 Affected Packages: uriparser Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2...

Low: libarchive

Issue Overview: In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution. CVE-2022-36227 Affected...

Low: advancecomp

Issue Overview: advancecomp has a segmentation fault on invalid MNG size CVE-2023-2961 Affected Packages: advancecomp Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Ru...

Important: kernel-livepatch-5.10.192-183.736

Issue Overview: An issue was discovered in drivers/net/ethernet/intel/igb/igbmain.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU. CVE-2023-45871 A use-after-free vulnerability in the Linux kernel's netfilter: nftables compone...

Low: gmp

Issue Overview: A flaw was found in gmp. An integer overflow vulnerability could allow an attacker to input an integer value leading to a crash. The highest threat from this vulnerability is to system availability. CVE-2021-43618 Affected Packages: gmp Note: This advisory is applicable to Amazon...

Important: kernel-livepatch-5.10.192-182.736

Issue Overview: An issue was discovered in drivers/net/ethernet/intel/igb/igbmain.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU. CVE-2023-45871 A use-after-free vulnerability in the Linux kernel's netfilter: nftables compone...

Low: gawk

Issue Overview: A heap out-of-bounds read flaw was found in builtin.c in the gawk package which may result in a crash of the software. CVE-2023-4156 Affected Packages: gawk Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between A...

Medium: containerd

Issue Overview: A flaw was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to...

Medium: containerd

Issue Overview: The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manife...

Medium: docker

Issue Overview: The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manife...

Medium: containerd

Issue Overview: containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to...

Important: nerdctl

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Text nodes not in the HTML namespace are incorrectly literally rendered,...

Medium: vim

Issue Overview: Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function gagrowinner in in the file src/alloc.c at line 748, which is freed in the file src/exdocmd.c in the function docmdline at line 1010 and then used again in src/cmdhist...

Medium: ruby

Issue Overview: A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service ReDoS during the parsing of dates. This flaw allows an attacker to hang a ruby application by providing a specially crafted date string. The highest threat to this...