Amazon Linux AMI : collectd (ALAS-2016-739)

A heap-based buffer overflow in the parsepacket function in network.c in collectd allows remote attackers to cause a denial of service daemon crash or possibly execute arbitrary code via a crafted network packet. C Tenable Network Security, Inc. The descriptive text and package checks in this...

Amazon Linux AMI : python34 / python27,python26 (ALAS-2016-741) (httpoxy)

It was discovered that the Python CGIHandler class did not properly protect against the HTTPPROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP...

Amazon Linux AMI : kernel (ALAS-2016-740)

A use after free vulnerability was found in tcpxmitretransmitqueue and other tcp functions. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2016-740. include'compat.inc'; if description...

Amazon Linux AMI : squid (ALAS-2016-735)

A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. CVE-2016-4051 It was found that the fix for CVE-2016-4051 did not...

Amazon Linux AMI : tomcat7 / tomcat8 (ALAS-2016-736)

A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer 4096 bytes used to read the uploaded file if the boundary was the typical tens of bytes long. C Tenable Network Security, Inc. The...

Amazon Linux AMI : compat-libtiff3 (ALAS-2016-734)

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. CVE-2014-9655 , CVE-2015-1547 ,...

Amazon Linux AMI : curl (ALAS-2016-730)

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVE-2016-5419 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS...

Amazon Linux AMI : mysql56 (ALAS-2016-737)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. CVE-2016-5440 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related t...

Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)

An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTPPROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTPPROXY' is used by numerous web clients, including Go's net/http package,...

Amazon Linux AMI : samba (ALAS-2016-732)

A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin wer...

Amazon Linux AMI : libtiff (ALAS-2016-733)

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. CVE-2014-9655 , CVE-2015-1547 ,...

Amazon Linux AMI : ntp (ALAS-2016-727)

It was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server's replies. CVE-2015-8139 The processpacket function in ntpproto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of...

Amazon Linux AMI : kernel (ALAS-2016-726)

It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL. CVE-2016-1237 A flaw was found in the Linux kernel's keyring handling code, where in keyrejectandlink an uninitialised variable would...

Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy)

A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. CVE-2015-8874 An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2 function of PHP's gd extension. A remote attacke...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-729)

Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2016-3606 , CVE-2016-3598 , CVE-2016-3610 Multiple denial of service flaws were found in the JAXP...

Amazon Linux AMI : python26 / python27,python34 (ALAS-2016-724)

It was found that Python's httplib library used urllib, urllib2 and others did not properly check HTTP header input in HTTPConnection.putheader. An attacker could use this flow to inject additional headers in a Python application that allows user provided header name or values. CVE-2016-5699 It w...

Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-723)

Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2016-3606 , CVE-2016-3587 , CVE-2016-3598 , CVE-2016-3610 Multiple denial of service flaws were foun...

Amazon Linux AMI : httpd24 / httpd (ALAS-2016-725) (httpoxy)

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...

Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)

Tomcat's CGI support used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibl...

Amazon Linux AMI : varnish (ALAS-2016-721)

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r carriage return character in conjunction with multiple Content-Length headers in an HTTP...