Amazon Linux AMI : collectd (ALAS-2017-829)

Infinite loop due to incorrect interaction of parsepacket and parsepartsignsha256 functions : Collectd contains an infinite loop due to how the parsepacket and parsepartsignsha256 functions interact. If an instance of collectd is configured with 'SecurityLevel None' and with empty 'AuthFile'...

Amazon Linux AMI : mysql56 (ALAS-2017-830)

Server: Security: Privileges unspecified vulnerability CPU Apr 2017 : Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Security: Privileges. Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily 'exploitable...

Amazon Linux AMI : kernel (ALAS-2017-828)

Infinite recursion in ahash.c by triggering EBUSY on a full queue : A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service API operation calling its own callback, and infinite recursion by triggering EBUSY on a full queue.CVE-2017-7618...

Amazon Linux AMI : 389-ds-base (ALAS-2017-824)

Remote crash via crafted LDAP messages : An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service...

Amazon Linux AMI : nss / nss-util (ALAS-2017-825)

An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an...

Amazon Linux AMI : util-linux (ALAS-2017-823)

Sending SIGKILL to other processes with root privileges via su : A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.CVE-2017-2616 C Tenable...

Amazon Linux AMI : bind (ALAS-2017-826)

A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. CVE-2017-3137 A denial ...

Amazon Linux AMI : GraphicsMagick (ALAS-2017-820)

The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service out-of-bounds read and application crash via a small samples per pixel value in a CMYKA TIFF file.CVE-2017-6335 The WPG format reader in GraphicsMagick 1.3.2...

Amazon Linux AMI : tomcat7 / tomcat8 (ALAS-2017-822)

Incorrect handling of pipelined requests when send file was used A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost...

Amazon Linux AMI : munin (ALAS-2017-818)

Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upperlimit GET parameters allows overwriting any file accessible to the www-data user. CVE-2017-6188 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

Amazon Linux AMI : R (ALAS-2017-819)

An exploitable buffer overflow vulnerability exists in the LoadEncoding functionality of the R programming language version 3.3.0. A specially crafted R script can cause a buffer overflow resulting in a memory corruption. An attacker can send a malicious R script to trigger this vulnerability...

Amazon Linux AMI : tomcat6 (ALAS-2017-821)

Incorrect handling of pipelined requests when send file was used : A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lo...

Amazon Linux AMI : ntp (ALAS-2017-816)

Denial of Service via Malformed Config : A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.CVE-2017-6464 Potential Overflows in ctlput functions : A vulnerability was foun...

Amazon Linux AMI : cacti (ALAS-2017-817)

PHP Object Injection Vulnerabilities CVE-2014-4000 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2017-817. include'compat.inc'; if description scriptid99530; scriptversion"3.5";...

Amazon Linux AMI : kernel (ALAS-2017-814)

Possible double free in stcpsendmsg incorrect fix for CVE-2017-5986 : It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service...

Amazon Linux AMI : gnutls (ALAS-2017-815)

A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. CVE-2016-8610...

Amazon Linux AMI : wireshark (ALAS-2017-813)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux...

Amazon Linux AMI : kernel (ALAS-2017-811)

The skbs processed by ipcmsgrecv are not guaranteed to be linear e.g. when sending UDP packets over loopback with MSGMORE. Using csumpartial on potentially the whole skb len is dangerous; instead be on the safe side and use skbchecksum. This may lead to an infoleak as the kernel memory may be...

Amazon Linux AMI : tomcat6 (ALAS-2017-810)

It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP...

Amazon Linux AMI : vim (ALAS-2017-809)

An integer overflow flaw was found in the way vim handled tree length values when reading an undo file. This bug could result in vim crashing when trying to process corrupted undo files. CVE-2017-6350 An integer overflow flaw was found in the way vim handled undo files. This bug could result in v...