Important: runc

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Affected Packages: runc Note: This advisory is applicable to Amazon Linux...

Low: containerd

Issue Overview: Containerd is not affected by CVE-2023-39325. While it contains the affected module, it does not use it in a way that exposes users to CVE-2023-39325. Affected Packages: containerd Note: This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn...

Important: firefox

Issue Overview: Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: Critical CVE-2023-4863 Affected Packages: firefox Note: This advisory is applicable to Amaz...

Medium: firefox

Issue Overview: VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. CVE-2023-44488 Affected Packages: firefox Note: This advisory is applicable to Amazon Linux 2 - Firefox Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section...

Medium: docker

Issue Overview: A flaw was found in the userns-remap feature of Docker. The root user in the remapped namespace can modify files under /var/lib/docker/, leading to possible privilege escalation to the root user in the host. The highest threat from this vulnerability is to data integrity...

Important: ecs-init

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Affected Packages: ecs-init Note: This advisory is applicable to Amazon...

Important: runc

Issue Overview: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to = 8192 bits. Based on a survey of publicly trusted RSA keys, there are...

Important: nginx

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 Affected Packages: nginx Note: This advisory is applicable to Amazon Linu...

Medium: ecs-init

Issue Overview: No CVE was issued for this update. Affected Packages: ecs-init Note: This advisory is applicable to Amazon Linux 2 - Ecs Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue...

Medium: djvulibre

Issue Overview: An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero. CVE-2021-46310 Affected Packages: djvulibre Note: This advisory is applicable to Amazon Linux 2 - Mate-desktop1.x Extra. Visit this page to learn more abo...

Important: firefox

Issue Overview: Memory corruption in IPC CanvasTranslator CVE-2023-4573 Memory corruption in IPC ColorPickerShownCallback CVE-2023-4574 Memory corruption in IPC FilePickerShownCallback CVE-2023-4575 XLL file extensions were downloadable without warnings. CVE-2023-4581 Memory safety bug...

Important: postgresql

Issue Overview: A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. CVE-2021-23222 A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the defau...

Important: squid

Issue Overview: A flaw was found in squid. Due to improper validation while parsing the request URI, squid is vulnerable to HTTP request smuggling. This issue could allow a trusted client to perform an HTTP request smuggling attack and access services otherwise forbidden by squid. The highest...

Medium: ruby

Issue Overview: A double-free vulnerability was found in Ruby. The issue occurs during Regexp compilation. This flaw allows an attacker to create a Regexp object with a crafted source string that could cause the same memory to be freed twice. CVE-2022-28738 A buffer overrun vulnerability was foun...

Medium: python38

Issue Overview: An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. CVE-2023-24329 Affected Packages: python38 Note: This advisory is applicable to Amazon Linux 2 - Python3.8 Extra. Vis...

Medium: python38

Issue Overview: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer...

Medium: ruby

Issue Overview: A buffer overrun vulnerability was found in Ruby. The issue occurs in a conversion algorithm from a String to a Float that causes process termination due to a segmentation fault, but under limited circumstances. This flaw may cause an illegal memory read. CVE-2022-28739 Affected...

Medium: python-paramiko

Issue Overview: In Paramiko before 2.10.1, a race condition between creation and chmod in the writeprivatekeyfile function could allow unauthorized information disclosure. CVE-2022-24302 Affected Packages: python-paramiko Note: This advisory is applicable to Amazon Linux 2 - Ansible2 Extra. Visit...

Important: redis

Issue Overview: A heap-based buffer overflow flaw was found in Redis. This flaw allows an attacker to trick an authenticated user into executing a specially crafted Lua script in Redis. This attack triggers a heap overflow in the cjson and cmsgpack libraries, resulting in heap corruption and...

Medium: ruby

Issue Overview: An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the privileges of the user running rdoc. CVE-2021-31799 Affected Packages: ruby Note:...