Amazon Linux AMI : php54 (ALAS-2015-561)

Upstream reports that six security-related issues in PHP were fixed in this release, as well as several security issues in bundled sqlite library CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416. All PHP 5.4 users are encouraged to upgrade to this version. Please see the upstream release notes for...

Amazon Linux AMI : php56 (ALAS-2015-563)

Upstream reports that several bugs have been fixed as well as several security issues into some bundled libraries CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416 , CVE-2015-2325 and CVE-2015-2326. All PHP 5.6 users are encouraged to upgrade to this version. Please see the upstream release notes for...

Amazon Linux AMI : fuse (ALAS-2015-558)

It was discovered that fusermount failed to properly sanitize its environment before executing mount and umount commands. A local user could possibly use this flaw to escalate their privileges on the system. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin...

Amazon Linux AMI : php-ZendFramework (ALAS-2015-560)

Upstream reported a vulnerability in the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to send additional, unrelated headers and to bypass additional headers by emitting the header/body...

Amazon Linux AMI : tcpdump (ALAS-2015-557)

Integer signedness error in the mobilityoptprint function in the IPv6 mobility printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service out-of-bounds read and crash or possibly execute arbitrary code via a negative length value. CVE-2015-0261 The osiprintcksum function...

Amazon Linux AMI : cups (ALAS-2015-559)

A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the...

Amazon Linux AMI : postgresql8 (ALAS-2015-556)

A double-free flaw was found in the connection handling. An unauthenticated attacker could exploit this flaw to crash the PostgreSQL back end by disconnecting at approximately the same time as the authentication time out is triggered. CVE-2015-3165 It was discovered that PostgreSQL did not proper...

Amazon Linux AMI : python27 (ALAS-2015-552)

It was discovered that multiple Python standard library modules implementing network protocols such as httplib or smtplib failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.CVE-2013-1752 ...

Amazon Linux AMI : libtiff (ALAS-2015-553)

Use of uninitialized memory was reported in in libtiff. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2015-553. include"compat.inc"; if description scriptid84370; scriptversion"2.4";...

Amazon Linux AMI : t1utils (ALAS-2015-554)

A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB Printer Font Binary files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils. C Tenable Network Security, Inc. T...

Amazon Linux AMI : mod_dav_svn / subversion (ALAS-2015-555)

A NULL pointer dereference flaw was found in the way the moddavsvn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing moddavsvn to crash...

Amazon Linux AMI : curl (ALAS-2015-551)

As discussed upstream, libcurl can wrongly send HTTP credentials when re-using connections. CVE-2015-3236 Also discussed upstream, libcurl can get tricked by a malicious SMB server to send off data it did not intend to. CVE-2015-3237 C Tenable Network Security, Inc. The descriptive text and packa...

Amazon Linux AMI : ruby21 (ALAS-2015-548)

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record rubygems.tcp under the original requested domain. RubyGems did not validate the hostname returned in...

Amazon Linux AMI : ruby22 (ALAS-2015-549)

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record rubygems.tcp under the original requested domain. RubyGems did not validate the hostname returned in...

Amazon Linux AMI : libcap-ng (ALAS-2015-543)

A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capnglock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid system call, among others, also sets the...

Amazon Linux AMI : ruby20 (ALAS-2015-547)

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record rubygems.tcp under the original requested domain. RubyGems did not validate the hostname returned in...

Amazon Linux AMI : e2fsprogs (ALAS-2015-542)

A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library for example, fsck to crash or, possibly, execute arbitrary code. C Tenable Network Security, Inc. The descriptive text and package checks in this...

Amazon Linux AMI : kernel (ALAS-2015-544)

A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capnglock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid system call, among others, also sets the...

Amazon Linux AMI : postgresql93 (ALAS-2015-546)

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service crash by closing an SSL session at a time when the authentication timeout will expire during the session...

Amazon Linux AMI : postgresql92 (ALAS-2015-545)

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service crash by closing an SSL session at a time when the authentication timeout will expire during the session...