Amazon Linux AMI : kernel (ALAS-2014-328)

The ip6routeadd function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service memory consumption via a flood of ICMPv6 Router Advertisement packets. drivers/vhost/net.c in the Linux kernel...

Amazon Linux AMI : mod24_security (ALAS-2014-334)

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted...

Amazon Linux AMI : libserf (ALAS-2014-397)

The 1 serfsslcertissuer, 2 serfsslcertsubject, and 3 serfsslcertcertificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to spoof...

Amazon Linux AMI : php55 (ALAS-2014-332)

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service CPU consumption via a crafted ASCII file that triggers a large amount of...

Amazon Linux AMI : httpd (ALAS-2014-331)

It was found that the moddav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the moddav module for example when using the moddavsvn module, a remote attacker could send a specially crafted DAV request that would...

Amazon Linux AMI : libXfont (ALAS-2014-404)

Multiple integer overflows in the 1 fsgetreply, 2 fsallocglyphs, and 3 fsreadextentinfo functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs reply, which triggers a buffer overflow. Multiple buffer overflows in...

Amazon Linux AMI : libtiff (ALAS-2014-365)

Use-after-free vulnerability in the t2preadwritepdfimage function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service crash or possible execute arbitrary code via a crafted TIFF image. The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier...

Amazon Linux AMI : httpd (ALAS-2011-9)

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connec...

Amazon Linux AMI : php54 (ALAS-2014-367)

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. A denial of service flaw was found in the way the File Information fileinfo extension parsed certain Composite Document...

Amazon Linux AMI : openswan (ALAS-2011-6)

A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. C Tenable Network Security, Inc. The descriptive text and package chec...

Amazon Linux AMI : curl (ALAS-2014-407)

libcurl wrongly allows cookies to be set for TLDs, thus making them much broader then they are supposed to be allowed to. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. By not detecting and rejecting domain names for partial...

Amazon Linux AMI : freetype (ALAS-2011-8)

Multiple input validation flaws were found in the way FreeType processed bitmap font files. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user runnin...

Amazon Linux AMI : dovecot (ALAS-2014-386)

Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service resource consumption via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. C Tenable Network Security,...

Amazon Linux AMI : glibc (ALAS-2014-355)

Multiple stack-based buffer overflows in net/netfilter/ipvs/ipvsctl.c in the Linux kernel before 2.6.33, when CONFIGIPVS is used, allow local users to gain privileges by leveraging the CAPNETADMIN capability for 1 a getsockopt system call, related to the doipvsgetctl function, or 2 a setsockopt...

Amazon Linux AMI : openssl098e (ALAS-2014-350)

It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. CVE-2014-0224 C Tenable Network...

Amazon Linux AMI : nss (ALAS-2014-424)

A flaw was found in the way NSS parsed ASN.1 Abstract Syntax Notation One input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. C Tenable Network Security, Inc. The descriptive tex...

Amazon Linux AMI : kernel (ALAS-2014-339)

The nttywrite function in drivers/tty/ntty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the 'LECHO & !OPOST' case, which allows local users to cause a denial of service memory corruption and system crash or gain privileges by triggering a race condition...

Amazon Linux AMI : munin (ALAS-2014-348)

The getgrouptree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service infinite loop and memory consumption in the munin-html process via crafted multigraph data. Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cau...

Amazon Linux AMI : python27 (ALAS-2014-380)

It was reported that Python built-in json module have a flaw insufficient bounds checking, which allows a local user to read current process' arbitrary memory. Quoting the upstream bug report : 'The sole prerequisites of this attack are that the attacker is able to control or influence the two...

Amazon Linux AMI : bash (ALAS-2014-419)

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the...