Amazon Linux AMI : squid (ALAS-2014-433)

A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. CVE-2014-3609 A buffer overflow flaw was found in Squid's DNS lookup module. A remote attacker able to send HTTP requests to...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-430)

Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. CVE-2014-6506 , CVE-2014-6531 , CVE-2014-6502 , CVE-2014-6511 , CVE-2014-6504 , CVE-2014-6519 It was...

Amazon Linux AMI : mysql55 (ALAS-2014-428)

Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: SERVER:SSL:yaSSL. Supported versions that are affected are 5.5.39 and earlier and 5.6.20 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-431)

Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. CVE-2014-6506 , CVE-2014-6531 , CVE-2014-6502 , CVE-2014-6511 , CVE-2014-6504 , CVE-2014-6519 It was...

Amazon Linux AMI : nss (ALAS-2014-429) (POODLE)

A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining CBC mode. This flaw allows a man-in-the-middle MITM attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a...

Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2014-432)

It was discovered that the Libraries component in OpenJDK failed to properly handle ZIP archives that contain entries with a NUL byte used in the file names. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. CVE-2014-6562 Multiple flaws were discover...

Amazon Linux AMI : openssl (ALAS-2014-427)

A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol SRTP extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. CVE-2014-3513 A memory leak flaw was...

Amazon Linux AMI : openssl (ALAS-2014-426) (POODLE)

Bodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen...

Amazon Linux AMI : python-oauth2 (ALAS-2014-425)

The Server.verifyrequest function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL. The 1 makenonce, 2 generatenonce, and 3 generateverifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonce...

Important: openssl

Issue Overview: Bodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen...

Amazon Linux AMI : gnutls (ALAS-2014-352)

A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the...

Amazon Linux AMI : nrpe (ALAS-2014-364)

DISPUTED Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor NRPE 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/checknrpe. NOTE: this issue is disputed by multiple parties. It has been reported...

Amazon Linux AMI : php-ZendFramework (ALAS-2014-394)

The implementation of the ORDER BY SQL statement in ZendDbSelect of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses, as discussed in http://framework.zend.com/security/advisory/ZF2014-04. C Tenable Network Security, Inc. The descriptive text a...

Amazon Linux AMI : ImageMagick (ALAS-2014-336)

A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running...

Amazon Linux AMI : libmicrohttpd (ALAS-2014-353)

Stack-based buffer overflow in the MHDdigestauthcheck function in libmicrohttpd before 0.9.32, when MHDOPTIONCONNECTIONMEMORYLIMIT is set to a large value, allows remote attackers to cause a denial of service crash or possibly execute arbitrary code via a long URI in an authentication header. The...

Amazon Linux AMI : openssl (ALAS-2014-391)

A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory. Multiple buffer overflows in crypto/srp/srplib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1...

Amazon Linux AMI : elfutils (ALAS-2014-345)

Integer overflow in the checksection function in dwarfbeginelf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service application crash or possibly execute arbitrary code via a malformed compressed debug section in an ELF...

Amazon Linux AMI : wireshark (ALAS-2014-330)

Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. CVE-2014-2281 , CVE-2014-2299 Several denial of service flaws were found in Wireshark. Wireshar...

Amazon Linux AMI : 389-ds-base (ALAS-2014-396)

It was found that when replication was enabled for each attribute in 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensiti...

Amazon Linux AMI : nss-util (ALAS-2014-422)

A flaw was found in the way NSS parsed ASN.1 Abstract Syntax Notation One input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. C Tenable Network Security, Inc. The descriptive tex...