Amazon Linux AMI : wget (ALAS-2016-720)

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. CVE-2016-4971 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory...

Amazon Linux AMI : libxml2 (ALAS-2016-719)

A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the...

Amazon Linux AMI : kernel (ALAS-2016-718)

A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitary kernel memory when unloading a kernel module. This action is usually restricted to root-priveledged users but can also be leveraged if the kernel is compiled wit...

Amazon Linux AMI : GraphicsMagick (ALAS-2016-717)

It was discovered that GraphicsMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using GraphicsMagick or an unsuspecting user using the GraphicsMagick utilities, would...

Amazon Linux AMI : ImageMagick (ALAS-2016-716)

It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to...

Amazon Linux AMI : squid (ALAS-2016-713)

A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. CVE-2016-4051 Buffer overflow and input validation flaws were found ...

Amazon Linux AMI : mod24_nss (ALAS-2016-714)

It was reported that +CIPHER operator in OpenSSL changes the order of a cipher. Instead of returning an error as NSS does not support cipher ordering, it returned the result of processing up to that point, which could result in requested ciphers not being enabled. C Tenable Network Security, Inc...

Amazon Linux AMI : nginx (ALAS-2016-715)

A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file. C Tenable Network Security, Inc. The...

Amazon Linux AMI : jq (ALAS-2016-705)

A heap-based buffer overflow flaw was found in the tokenadd function. By tricking a victim into processing a specially crafted JSON file, an attacker could use this flaw to crash jq or, potentially, execute arbitrary code on the victim's system. CVE-2015-8863 C Tenable Network Security, Inc. The...

Amazon Linux AMI : mod_dav_svn (ALAS-2016-710)

The canonicalizeusername function in svnserve/cyrusauth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repositor...

Amazon Linux AMI : php55 (ALAS-2016-707)

The following security-related issues were resolved : Out-of-bounds read in imagescale CVE-2013-7456 Integer underflow causing arbitrary null write in fread/gzread CVE-2016-5096 The pharmakedirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size...

Amazon Linux AMI : libksba (ALAS-2016-712)

The following security-related issues were resolved : Incomplete fix for CVE-2016-4356 CVE-2016-4574 Out-of-bounds read in ksbaberparsetl CVE-2016-4579 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory...

Amazon Linux AMI : ntp (ALAS-2016-708)

It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively...

Amazon Linux AMI : subversion (ALAS-2016-709)

The canonicalizeusername function in svnserve/cyrusauth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repositor...

Amazon Linux AMI : cacti (ALAS-2016-711)

SQL injection vulnerability in graphview.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the hostgroupdata parameter. CVE-2016-3659 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux...

Amazon Linux AMI : kernel (ALAS-2016-704)

The getrockridgefilename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM aka alternate name entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs...

Amazon Linux AMI : php56 (ALAS-2016-706)

The following security-related issues were resolved : Out-of-bounds read in imagescale CVE-2013-7456 Integer underflow causing arbitrary null write in fread/gzread CVE-2016-5096 Integer overflow in phphtmlentities CVE-2016-5094 Integer overflow in phpfilterfullspecialchars CVE-2016-5095...

Amazon Linux AMI : nspr / nss-util,nss,nss-softokn (ALAS-2016-702)

A use-after-free flaw was found in the way NSS handled DHE DiffieHellman key exchange and ECDHE Elliptic Curve Diffie-Hellman key exchange handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause tha...

Amazon Linux AMI : kernel (ALAS-2016-703)

The Linux kernel did not properly suppress hugetlbfs support in x86 PV guests, which could allow local PV guest users to cause a denial of service guest OS crash by attempting to access a hugetlbfs mapped area. CVE-2016-3961 / XSA-174 A flaw was found in the way the Linux kernel's ASN.1 DER decod...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2016-700)

Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2016-0686 , CVE-2016-0687 It was discovered that the RMI server implementation in the JMX...