Amazon Linux AMI : libnl3 (ALAS-2017-876)

Integer overflow in nlmsgreserve : An integer overflow leading to a heap-buffer overflow was found in the libnl library. An attacker could use this flaw to cause an application compiled with libnl to crash or possibly execute arbitrary code in the context of the user running such an application...

Medium: libnl3

Issue Overview: Integer overflow in nlmsgreserve: An integer overflow leading to a heap-buffer overflow was found in the libnl library. An attacker could use this flaw to cause an application compiled with libnl to crash or possibly execute arbitrary code in the context of the user running such a...

Amazon Linux AMI : tomcat7 (ALAS-2017-873)

Security constrained bypass in error page mechanism : While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an...

Amazon Linux AMI : kernel (ALAS-2017-870)

Buffer overflow in mpoverridelegacyirq : Buffer overflow in the mpoverridelegacyirq function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table. CVE-2017-11473 A race between inotifyhandleevent and sysrename : A race...

Amazon Linux AMI : cacti (ALAS-2017-874)

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. CVE-2017-12065 Cross-site scripting XSS vulnerability in aggregategraphs.php in Cacti before 1.1.16 allows remote authenticated users to inject...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2017-869)

It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. CVE-2017-10102 Multiple flaws were discovere...

Qualys Cloud Suite 8.10.2 New Features

This new patch release of the Qualys Cloud Suite, version 8.10.2, includes updates to shared platform features, a new role for user management, and expanded Policy Compliance platform support. Feature Highlights Qualys Cloud Platform Limit number of external scanners – You can now limit the numbe...

Amazon Linux AMI : aws-cfn-bootstrap (ALAS-2017-866)

A vulnerability was reported in the CloudFormation bootstrap tools, where default behavior in the handling of cfn-init metadata can provide escalated privileges to an attacker with local access to the system C Tenable Network Security, Inc. The descriptive text and package checks in this plugin...

Amazon Linux AMI : php70 (ALAS-2017-867)

Out-of-bounds heap write in bitsetsetrange : An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitsetsetrange during regular expression compilation due to an uninitialized variable fro...

Amazon Linux AMI : tomcat8 (ALAS-2017-862)

Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page...

Amazon Linux AMI : libtommath / libtomcrypt (ALAS-2017-864)

possible OP-TEE Bleichenbacher attack : The rsaverifyhashex function in rsaverifyhash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public...

Amazon Linux AMI : httpd24 (ALAS-2017-863)

apfindtoken buffer overread : A buffer over-read flaw was found in the httpd's apfindtoken function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. CVE-2017-7668 Apache HTTP Request Parsing Whitespace Defects : It was discovered...

Amazon Linux AMI : aws-cfn-bootstrap (ALAS-2017-861)

A vulnerability was reported in the CloudFormation bootstrap tools that allows an attacker to execute arbitrary code as root if they have local access to the system and are able to create files in a specific directory CVE-2017-9450 C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux AMI : bind (ALAS-2017-858)

Security Fixes: A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG0 signature for a dynamic update reques...

Amazon Linux AMI : c-ares (ALAS-2017-859)

The c-ares function aresparsenaptrreply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. CVE-2017-1000381 C Tenable Network Security, Inc. The descriptive text and...

Amazon Linux AMI : golang (ALAS-2017-857)

Golang: Elliptic curves carry propagation issue in x86-64 P-256. A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could use this flaw to extract private keys when static ECDH is used. CVE-2017-8932 C Tenable Network Security, Inc. The...

Amazon Linux AMI : mercurial (ALAS-2017-856)

Python debugger accessible to authorized users : A flaw was found in the way 'hg serve --stdio' command in Mercurial handled command-line options. A remote, authenticated attacker could use this flaw to execute arbitrary code on the Mercurial server by using specially crafted command-line options...

Amazon Linux AMI : tomcat8 (ALAS-2017-854)

Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page...

Amazon Linux AMI : sudo (ALAS-2017-855)

It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root...

Amazon Linux AMI : tomcat7 (ALAS-2017-853)

Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page...