Amazon Linux AMI : libX11 / libXcursor,libXfixes,libXi,libXrandr,libXrender,libXres,libXt,libXv,libXvMC,libXxf86dga,libXxf86vm,libdmx,xorg-x11-proto-devel (ALAS-2014-452)

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially...

Amazon Linux AMI : docker (ALAS-2014-454)

Docker versions 1.3.0 through 1.3.1 allowed security options to be applied to images, allowing images to modify the default run profile of containers executing these images. This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container's processes,...

Amazon Linux AMI : php55 (ALAS-2014-451)

An out-of-bounds read flaw was found in the way the File Information fileinfo extension parsed Executable and Linkable Format ELF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. C Tenable Network Security, Inc. The descripti...

Amazon Linux AMI : file (ALAS-2014-453)

An out-of-bounds read flaw was found in the way the File Information fileinfo extension parsed Executable and Linkable Format ELF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. C Tenable Network Security, Inc. The descripti...

Amazon Linux AMI : php54 (ALAS-2014-450)

An out-of-bounds read flaw was found in the way the File Information fileinfo extension parsed Executable and Linkable Format ELF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. C Tenable Network Security, Inc. The descripti...

Amazon Linux AMI : rsyslog (ALAS-2014-445)

A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon. CVE-2014-3634 C Tenable Network Security, Inc. The descriptive...

Amazon Linux AMI : ruby20 (ALAS-2014-448)

The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied, a small XML...

Amazon Linux AMI : krb5 (ALAS-2014-443)

It was found that if a KDC served multiple realms, certain requests could cause the setupserverrealm function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. CVE-2013-1418 , CVE-2013-6800 A NULL pointer...

Amazon Linux AMI : wireshark (ALAS-2014-446)

Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. CVE-2014-6429 , CVE-2014-6430 , CVE-2014-6431 , CVE-2014-6432 Several denial of service...

Amazon Linux AMI : ruby19 (ALAS-2014-447)

The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied, a small XML...

Amazon Linux AMI : ruby21 (ALAS-2014-449)

The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied, a small XML...

Amazon Linux AMI : libxml2 (ALAS-2014-444)

A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption denial of service bas...

Amazon Linux AMI : wget (ALAS-2014-442)

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the...

Amazon Linux AMI : ruby21 (ALAS-2014-439)

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service memory consumption via a crafted XML document, aka an XML Entity Expansion XEE attack. C Tenable Network Security, Inc. The descriptive text and...

Amazon Linux AMI : python27 (ALAS-2014-440)

It was discovered that Python built-in module CGIHTTPServer does not properly handle URL-encoded path separators in URLs which may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root. CVE-2014-4650 Integer overflow in bufferobject.c i...

Amazon Linux AMI : ruby20 (ALAS-2014-441)

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service memory consumption via a crafted XML document, aka an XML Entity Expansion XEE attack. C Tenable Network Security, Inc. The descriptive text and...

Amazon Linux AMI : cups (ALAS-2014-438)

A cross-site scripting XSS flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. CVE-2014-2856 It was discovered that CUPS allowed certain users to create symbolic links in certain directories...

Amazon Linux AMI : golang (ALAS-2014-437)

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory...

Amazon Linux AMI : php54 (ALAS-2014-434)

An out of bounds read flaw was found in the way the xmlrpc extension parsed dates in the ISO 8601 format. A specially crafted XML-RPC request or response could possibly cause a PHP application to crash. CVE-2014-3668 An integer overflow flaw was found in the way custom objects were unserialized...

Amazon Linux AMI : xerces-j2 (ALAS-2014-436)

A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an...