Amazon Linux AMI : sudo (ALAS-2013-259)

A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's...

Amazon Linux AMI : xorg-x11-server (ALAS-2013-260)

A flaw was found in the way the X.org X11 server registered new hot plugged devices. If a local user switched to a different session and plugged in a new device, input from that device could become available in the previous session, possibly leading to information disclosure. CVE-2013-1940 C...

Amazon Linux AMI : openmpi (ALAS-2013-256)

A flaw was found in the way ibutils handled temporary files. A local attacker could use this flaw to cause arbitrary files to be overwritten as the root user via a symbolic link attack. It was discovered that librdmacm used a static port to connect to the ibacm service. A local attacker able to r...

Amazon Linux AMI : kernel (ALAS-2013-258)

Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service memory corruption or possibly have unspecified other impact by leveraging the CAPSYSADMIN capability for a 1 XFSIOCATTRLISTBYHANDLE or 2 XFSIOCATTRLISTBYHANDLE32...

Amazon Linux AMI : dracut (ALAS-2013-257)

It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information. CVE-2012-4453 C Tenabl...

Amazon Linux AMI : wireshark (ALAS-2013-251)

Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. CVE-2013-3559 , CVE-2013-4083 Several denial of service flaws were found in Wireshark. Wireshar...

Amazon Linux AMI : kernel (ALAS-2013-252)

The Linux kernel before 3.12, when UDP Fragmentation Offload UFO is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service memory corruption and system crash or possibly gain privileges via a crafted application that uses the UDPCORK...

Amazon Linux AMI : nginx (ALAS-2013-249)

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory...

Amazon Linux AMI : mod24_nss (ALAS-2013-254)

A flaw was found in the way modnss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, modnss failed to enforce this requirement and allowed a client to acce...

Amazon Linux AMI : ruby (ALAS-2013-248)

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service segmentation fault and possibly execute arbitrary code via a string that is converted to...

Amazon Linux AMI : ruby19 (ALAS-2013-247)

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service segmentation fault and possibly execute arbitrary code via a string that is converted to...

Amazon Linux AMI : python26 (ALAS-2013-241)

It was discovered that multiple Python standard library modules implementing network protocols such as httplib or smtplib failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. CVE-2013-1752...

Amazon Linux AMI : gc (ALAS-2013-245)

It was discovered that gc's implementation of the malloc and calloc routines did not properly perform parameter sanitization when allocating memory. If an application using gc did not implement application-level validity checks for the malloc and calloc routines, a remote attacker could provide...

Amazon Linux AMI : gnupg2 (ALAS-2013-237)

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared no usage permitted as if it has all bits set all usage permitted, which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. The compressed packet parser in...

Amazon Linux AMI : scipy (ALAS-2013-242)

scipy: weave /tmp and current directory issues CVE-2013-4251 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2013-242. include"compat.inc"; if description scriptid70904; scriptversion"1.5";...

Amazon Linux AMI : gnupg (ALAS-2013-236)

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared no usage permitted as if it has all bits set all usage permitted, which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. The compressed packet parser in...

Amazon Linux AMI : mod24_fcgid (ALAS-2013-239)

Heap-based buffer overflow in the fcgidheaderbucketread function in fcgidbucket.c in the modfcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors. C Tenable Network Security, Inc. The descriptive text and package checks in...

Amazon Linux AMI : python-crypto (ALAS-2013-243)

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator PRNG before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a...

Amazon Linux AMI : mysql51 (ALAS-2013-240)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. C Tenable Network Security, Inc. The descriptive text and packa...

Amazon Linux AMI : mod_fcgid (ALAS-2013-238)

Heap-based buffer overflow in the fcgidheaderbucketread function in fcgidbucket.c in the modfcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors. C Tenable Network Security, Inc. The descriptive text and package checks in...