Amazon Linux: Security Advisory (ALAS-2016-701)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Amazon Linux: Security Advisory (ALAS-2016-742)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Amazon Linux: Security Advisory (ALAS-2016-758)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Amazon Linux: Security Advisory (ALAS-2016-730)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Amazon Linux AMI : kernel (ALAS-2016-757) (Dirty COW)

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write COW breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on t...

Amazon Linux AMI : bind (ALAS-2016-758)

CVE-2016-2848 bind: assertion failure triggered by a packet with malformed options A denial of service flaw was found in the way BIND handled packets with malformed options. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS...

Amazon Linux AMI : php70 (ALAS-2016-754)

ext/mysqlnd/mysqlndwireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNEDFLAG flag, which allows remote MySQL servers to cause a denial of service heap-based buffer overflow or possibly have unspecified other impact via crafted field metadata...

Amazon Linux AMI : php56 (ALAS-2016-753)

ext/standard/varunserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service memory corruption or possibly have unspecified other impact via an unserialize call that references a partially constructed object...

Amazon Linux AMI : GraphicsMagick (ALAS-2016-752)

A possible heap overflow was discovered in the EscapeParenthesis function CVE-2016-7447. Various issues were found in the processing of SVG files in GraphicsMagick CVE-2016-7446. The TIFF reader had a bug pertaining to use of TIFFGetField when a 'count' value is returned. The bug caused a heap re...

Amazon Linux AMI : mysql55 / mysql56 (ALAS-2016-756)

It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. C...

Amazon Linux AMI : bind (ALAS-2016-751)

A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. C Tenable Network Security, Inc. The...

Amazon Linux AMI : openvpn (ALAS-2016-750) (SWEET32)

Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to a birthday attack when key renegotiation doesn't happen frequently or at all in long running connections. The blowfish cipher as used in OpenVPN by default is vulnerable to this attack, allowing a remote attacker to...

Amazon Linux AMI : libarchive (ALAS-2016-743)

A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. CVE-2016-5418 Multiple...

Amazon Linux AMI : curl (ALAS-2016-742)

After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS Network Security Services still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. C Tenable...

Amazon Linux AMI : openssl (ALAS-2016-749)

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it...

Amazon Linux AMI : lighttpd (ALAS-2016-746)

It was discovered that lighttpd class did not properly protect against the HTTPPROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. C Tenable...

Amazon Linux AMI : libgcrypt / gnupg (ALAS-2016-744)

A design flaw was found in the libgcrypt PRNG Pseudo-Random Number Generator. An attacker who can obtain the first 580 bytes of the PRNG output can trivially predict the following 20 bytes. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2016-748)

An insufficient bytecode verification flaw was discovered in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to completely bypass Java sandbox restrictions. CVE-2016-3606 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A...

Amazon Linux AMI : postgresql92 / postgresql93,postgresql94 (ALAS-2016-747)

A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...

Amazon Linux AMI : bind (ALAS-2016-745)

It was found that the lightweight resolver could crash due to an error when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the 'lwres' statement in...