Amazon Linux AMI : krb5 (ALAS-2011-15)

Multiple NULL pointer dereference and assertion failure flaws were found in the MIT Kerberos KDC when it was configured to use an LDAP Lightweight Directory Access Protocol or Berkeley Database Berkeley DB back end. A remote attacker could use these flaws to crash the KDC. CVE-2011-1527 ,...

Amazon Linux AMI : freetype (ALAS-2011-20)

Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running...

Amazon Linux AMI : openssl (ALAS-2012-38)

It was discovered that the Datagram Transport Layer Security DTLS protocol implementation in OpenSSL leaked timing information when performing certain operations. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding...

Amazon Linux AMI : libtiff (ALAS-2012-65)

Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially crafted TIFF file that, when opened, would cause an application linked against...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-167)

An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. CVE-2013-0809 It was...

Amazon Linux AMI : openldap (ALAS-2012-117)

It was found that the OpenLDAP server daemon ignored olcTLSCipherSuite settings. This resulted in the default cipher suite always being used, which could lead to weaker than expected ciphers being accepted during Transport Layer Security TLS negotiation with OpenLDAP clients. CVE-2012-2668 C...

Amazon Linux AMI : perl (ALAS-2011-19)

A heap-based buffer overflow flaw was found in the way Perl decoded Unicode strings. An attacker could create a malicious Unicode string that, when decoded by a Perl program, would cause the program to crash or, potentially, execute arbitrary code with the permissions of the user running the...

Amazon Linux AMI : dhcp (ALAS-2012-115)

A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time. CVE-2012-3571 Two...

Amazon Linux AMI : libpng (ALAS-2012-56)

A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of...

Amazon Linux AMI : nss (ALAS-2013-149)

It was found that a Certificate Authority CA mis-issued two intermediate certificates to customers. These certificates could be used to launch man-in-the-middle attacks. This update renders those certificates as untrusted. This covers all uses of the certificates, including SSL, S/MIME, and code...

Amazon Linux AMI : perl-libwww-perl (ALAS-2011-17)

The Net::HTTPS module in libwww-perl LWP before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof...

Amazon Linux AMI : dbus (ALAS-2012-128)

It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the...

Amazon Linux AMI : tomcat7 (ALAS-2013-191)

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other application...

Amazon Linux AMI : jasper (ALAS-2011-29)

Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer such as Nautilus to crash or, potentially, execute arbitrary...

Amazon Linux AMI : axis (ALAS-2013-164)

Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. CVE-2012-57...

Amazon Linux AMI : puppet (ALAS-2013-213)

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. C Tenable Network Security, Inc. The descriptive text and...

Amazon Linux AMI : php (ALAS-2012-95)

Integer overflow in the pharparsetarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service application crash or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow...

Amazon Linux AMI : nss (ALAS-2012-102)

It was found that a Certificate Authority CA issued a subordinate CA certificate to its customer, that could be used to issue certificates for any name. This update renders the subordinate CA certificate as untrusted. C Tenable Network Security, Inc. The descriptive text and package checks in thi...

Amazon Linux AMI : cacti (ALAS-2012-32)

The release notes for Cacti 0.8.7i indicate that two security vulnerabilities were fixed, though no corresponding CVE has been issued. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2012-32...

Amazon Linux AMI : lighttpd (ALAS-2013-179)

The httprequestsplitvalue function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service infinite loop via a request with a header containing an empty token, as demonstrated using the 'Connection: TE,,Keep-Alive' header. C Tenable Network Security, Inc. The...