Amazon Linux AMI : openvpn (ALAS-2013-201)

The openvpndecrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher. ...

Amazon Linux AMI : libxml2 (ALAS-2012-36)

A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrar...

Amazon Linux AMI : libproxy (ALAS-2012-140)

A buffer overflow flaw was found in the way libproxy handled the downloading of proxy auto-configuration PAC files. A malicious server hosting a PAC file or a man-in-the-middle attacker could use this flaw to cause an application using libproxy to crash or, possibly, execute arbitrary code, if th...

Amazon Linux AMI : php-ZendFramework (ALAS-2013-153)

The 1 ZendFeedRss and 2 ZendFeedAtom classes in ZendFeed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service CPU and memory consumption via an XML External...

Amazon Linux AMI : mysql51 (ALAS-2013-152)

This update fixes several vulnerabilities in the MySQL database server. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2013-152. include"compat.inc"; if description scriptid69711;...

Amazon Linux AMI : openssh (ALAS-2013-165)

Due to the way the pamsshagentauth PAM module was built, the glibc's error function was called rather than the intended error function in pamsshagentauth to report errors. As these two functions expect different arguments, it was possible for an attacker to cause an application using...

Amazon Linux AMI : postgresql8 (ALAS-2012-94)

A flaw was found in the way the crypt password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when...

Amazon Linux AMI : libtiff (ALAS-2012-106)

libtiff did not properly convert between signed and unsigned integer values, leading to a buffer overflow. An attacker could use this flaw to create a specially crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code...

Amazon Linux AMI : kernel / nvidia (ALAS-2013-148)

A malicious Network File System version 4 NFSv4 server could return a crafted reply to a GETACL request, causing a denial of service on the client. CVE-2012-2375 , Moderate A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the...

Amazon Linux AMI : libtiff (ALAS-2012-147)

A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF images using the Pixar Log Format encoding. An attacker could create a specially crafted TIFF file that, when opened, could cause an application using libtiff to crash or, possibly, execute arbitrary code with t...

Amazon Linux AMI : bind (ALAS-2012-84)

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory...

Amazon Linux AMI : libvorbis (ALAS-2012-47)

A heap-based buffer overflow flaw was found in the way the libvorbis library parsed Ogg Vorbis media files. If a specially crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges o...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-183)

Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. CVE-2013-1569 , CVE-2013-2383 , CVE-2013-2384 Multiple improper permission check issues were...

Amazon Linux AMI : cups (ALAS-2013-170)

It was discovered that CUPS administrative users members of the SystemGroups groups who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the...

Amazon Linux AMI : socat (ALAS-2012-87)

Heap-based buffer overflow in the xioscanreadline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address. C Tenable Network Security, Inc. The descriptive text and package checks in this plugi...

Amazon Linux AMI : glibc (ALAS-2012-57)

An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFYSOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such...

Amazon Linux AMI : tomcat6 (ALAS-2011-25)

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-156)

Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. CVE-2013-0442 , CVE-2013-0445 , CVE-2013-0441 , CVE-2013-1475 ,...

Amazon Linux AMI : kernel (ALAS-2011-26)

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. CVE-2011-2699 , Important A signedness issue was found in the Linux kernel's CIFS Common Internet File System implementatio...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2012-88)

Multiple flaws were discovered in the CORBA Common Object Request Broker Architecture implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data. CVE-2012-1711 , CVE-2012-1719 It was discovered that the...