Amazon Linux AMI : postgresql9 (ALAS-2013-178)

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service file corruption, and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection...

Amazon Linux AMI : postgresql8 (ALAS-2012-82)

The pgdump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by a SQL command. This SQL command might then be executed by a privileged user during later restore of the...

Amazon Linux AMI : nss (ALAS-2011-21)

It was found that the Malaysia-based Digicert Sdn. Bhd. subordinate Certificate Authority CA issued HTTPS certificates with weak keys. This update renders any HTTPS certificates signed by that CA as untrusted. This covers all uses of the certificates, including SSL, S/MIME, and code signing. Note...

Amazon Linux AMI : libxslt (ALAS-2012-123)

A heap-based buffer overflow flaw was found in the way libxslt applied templates to nodes selected by certain namespaces. An attacker could use this flaw to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the...

Amazon Linux AMI : php (ALAS-2012-37)

It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by...

Amazon Linux AMI : nagios (ALAS-2012-50)

Multiple cross-site scripting XSS vulnerabilities in config.c in config.cgi in 1 Nagios 3.2.3 and 2 Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an a command action or a b hosts action. C Tenable Network Security,...

Amazon Linux AMI : python-crypto (ALAS-2012-86)

PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute-force attacks to obtain the private key. C Tenable Network Security, Inc. The...

Amazon Linux AMI : xorg-x11-server (ALAS-2012-104)

A flaw was found in the way the X.Org server handled lock files. A local user with access to the system console could use this flaw to determine the existence of a file in a directory not accessible to the user, via a symbolic link attack. CVE-2011-4028 A race condition was found in the way the...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-151)

Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

Amazon Linux AMI : libxml2 (ALAS-2013-188)

libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service CPU and memory consumption via an XML file containing an entity declaration with long replacement text and many references to this entity, aka 'internal entity expansion' with linear complexity. C Tenable...

Amazon Linux AMI : httpd (ALAS-2011-09)

The MITRE CVE database describes these CVEs as : The modproxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of 1 RewriteRule and 2 ProxyPassMatch pattern matches for configuration of a reverse proxy, which...

Amazon Linux AMI : ruby19 (ALAS-2013-195)

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service memory consumption and crash via crafted text nodes in an XML document, aka an XML Entity Expansion XEE attack. C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux AMI : jasper (ALAS-2011-29)

Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer such as Nautilus to crash or, potentially, execute arbitrary...

Amazon Linux AMI : axis (ALAS-2013-164)

Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. CVE-2012-57...

Amazon Linux AMI : gdb (ALAS-2013-159)

GDB tried to auto-load certain files such as GDB scripts, Python scripts, and a thread debugging library from the current working directory when debugging programs. This could result in the execution of arbitrary code with the user's privileges when GDB was run in a directory that has untrusted...

Amazon Linux AMI : rubygems (ALAS-2012-79)

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amaz...

Amazon Linux AMI : tomcat7 (ALAS-2013-191)

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other application...

Amazon Linux AMI : perl-YAML-LibYAML (ALAS-2012-69)

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML aka YAML-LibYAML and perl-YAML-LibYAML module 0.38 for Perl allow remote attackers to cause a denial of service process crash via format string specifiers in a 1 YAML stream to the Load function, 2 YA...

Amazon Linux AMI : python26 (ALAS-2012-98)

A denial of service flaw was found in the implementation of associative arrays dictionaries in Python. An attacker able to supply a large number of inputs to a Python application such as HTTP POST request parameters sent to a web application that are used as keys when inserting data into an array...

Amazon Linux AMI : wireshark (ALAS-2012-71)

Several flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop...