Amazon Linux 2 : thunderbird (ALAS-2018-1032)

The following CVEs are fixed in the updated thunderbird package : CVE-2018-5161 : Hang via malformed headers CVE-2018-5162 : Encrypted mail leaks plaintext through src attribute CVE-2018-5183 : Backport critical security fixes in Skia CVE-2018-5155 : Use-after-free with SVG animations and text...

Amazon Linux 2 : qemu-kvm (ALAS-2018-1034) (Spectre)

An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator QEMU. It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of...

Amazon Linux 2 : procps-ng (ALAS-2018-1031)

Multiple integer overflows leading to heap corruption flaws were discovered in file2strvec. These vulnerabilities can lead to privilege escalation for a local attacker who can create entries in procfs by starting processes, which will lead to crashes or arbitrary code execution in proc utilities...

Amazon Linux AMI : kernel (ALAS-2018-1038) (Spectre)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions a commonly used performance optimization. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the...

Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2018-1039) (Spectre)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions a commonly used performance optimization. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the...

Amazon Linux 2 : curl (ALAS-2018-1029)

Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command...

Amazon Linux 2 : libvirt (ALAS-2018-1033) (Spectre)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions a commonly used performance optimization. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the...

Important: java-1.7.0-openjdk

Issue Overview: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions a commonly used performance optimization. It relies on the presence of a precisely-defined instruction sequence in the privileged code...

Important: 389-ds-base

Issue Overview: It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus...

Low: xdg-user-dirs

Issue Overview: It was found that the system umask policy is not being honored when creating XDG user directories /Desktop etc on first login. This could lead to user's files being inadvertently exposed to other local users.CVE-2017-15131 Affected Packages: xdg-user-dirs Note: This advisory is...

Important: curl

Issue Overview: Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command...

Important: git

Issue Overview: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.CVE-2018-11233 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16...

Critical: thunderbird

Issue Overview: The following CVEs are fixed in the updated thunderbird package: CVE-2018-5161: Hang via malformed headers CVE-2018-5162: Encrypted mail leaks plaintext through src attribute CVE-2018-5183: Backport critical security fixes in Skia CVE-2018-5155: Use-after-free with SVG animations...

Important: qemu-kvm

Issue Overview: An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator QEMU. It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulti...

Amazon Linux 2 : nghttp2 (ALAS-2018-1020)

nghttp2 version = 1.10.0 and nghttp2 = 1.31.1. CVE-2018-1000168 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux 2 Security Advisory ALAS-2018-1020. include'compat.inc'; if description scriptid110193; scriptversion"1.4";...

Amazon Linux 2 : dhcp (ALAS-2018-1021)

Command injection vulnerability in the DHCP client NetworkManager integration script : A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHC...

Amazon Linux 2 : ghostscript (ALAS-2018-1022)

The settextdistance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service application crash or possibly have unspecified other impac...

Amazon Linux AMI : gnupg2 (ALAS-2018-1025)

Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys : GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only wi...

Amazon Linux AMI : mysql56 (ALAS-2018-1027)

Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: InnoDB. Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server...

Amazon Linux AMI : kernel (ALAS-2018-1023)

A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. CVE-2018-1108 A flaw was found in the way the Linux kernel handled exceptions delivered after a stac...