Amazon Linux 2 : mailman (ALAS-2018-985)

Cross-site scripting XSS vulnerability in web UI A cross-site scripting XSS flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions. CVE-2018-5950 C Tenable...

Amazon Linux 2 : dhcp (ALAS-2018-984)

Buffer overflow in dhclient possibly allowing code execution triggered by malicious server An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client...

Amazon Linux 2 : glibc (ALAS-2018-992)

Integer overflow in malloc functions : The malloc implementation in the GNU C Library aka glibc or libc6, from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZEMAX and could return a pointer to a heap region that i...

Amazon Linux 2 : kernel (ALAS-2018-939) (Meltdown) (Spectre)

An updated kernel release for Amazon Linux has been made available which prevents speculative execution of indirect branches within the kernel. This release incorporates latest stable open source Linux security improvements to address CVE-2017-5715 within the kernel and builds upon previously...

Amazon Linux 2 : libvirt (ALAS-2018-952) (Spectre)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant...

Amazon Linux 2 : microcode_ctl (ALAS-2018-953) (Spectre)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant...

Amazon Linux 2 : qemu-kvm (ALAS-2018-942) (Spectre)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant...

Amazon Linux 2 : linux-firmware (ALAS-2018-962) (Spectre)

Speculative execution branch target injection An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions a commonly used performance optimization. There are three primary variants of the issue which differ in the way the...

Amazon Linux AMI : python-paramiko (ALAS-2018-989)

Authentication bypass in transport.py transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed...

Amazon Linux AMI : postgresql93 / postgresql94,postgresql95,postgresql96 (ALAS-2018-990)

Uncontrolled search path element in pgdump and other client applications A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database...

Amazon Linux AMI : libvorbis (ALAS-2018-981)

Vorbis audio processing out of bounds write : An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code. CVE-2018-5146 C Tenable Network Security, Inc. The...

Amazon Linux AMI : mailman (ALAS-2018-985)

Cross-site scripting XSS vulnerability in web UI A cross-site scripting XSS flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions. CVE-2018-5950 CSRF...

Amazon Linux AMI : nvidia (ALAS-2018-991)

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer nvlddmkm.sys handler for DxgkDdiEscape where a NULL pointer dereference may lead to denial of service or possible escalation of privileges. CVE-2018-6247 NVIDIA Windows GPU Display Driver contains a vulnerability ...

Amazon Linux AMI : 389-ds-base (ALAS-2018-980)

Authentication bypass due to lack of size check in slapictmemcmp function in chmalloc.c : It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypa...

Amazon Linux AMI : dhcp (ALAS-2018-984)

Buffer overflow in dhclient possibly allowing code execution triggered by malicious server An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client...

Amazon Linux AMI : ruby20 / ruby22,ruby23,ruby24 (ALAS-2018-983)

Path traversal when writing to a symlinked basedir outside of the root RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal...

Low: zsh

Issue Overview: NULL dereference in cd in sh compatibility mode under given circumstances In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. CVE-2017-18205 Null-pointer...

Medium: mailman

Issue Overview: Cross-site scripting XSS vulnerability in web UI A cross-site scripting XSS flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions...

Important: dhcp

Issue Overview: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running...

Amazon Linux AMI : php71 (ALAS-2018-982)

Stack-based buffer under-read in ext/standard/httpfopenwrapper.c:phpstreamurlwraphttpex function when parsing HTTP response allows denial of service : In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing ...