Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2025-1304)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1304 advisory. containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad...

Amazon Linux 2023 : amd-ucode-firmware, iwl100-firmware, iwl105-firmware (ALAS2023-2025-1307)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1307 advisory. Improper isolation of shared resources on a system on a chip by a malicious local attacker with high privileges could potentially lead to a partial loss of integrity. CVE-2025-54514 Improper...

Amazon Linux 2023 : cups-filters, cups-filters-devel, cups-filters-libs (ALAS2023-2025-1291)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1291 advisory. CUPS is a standards-based, open-source printing system, and libcupsfilters contains the code of the filters of the former cups-filters package as library functions to be used for the data form...

Amazon Linux 2023 : python3.12, python3.12-devel, python3.12-idle (ALAS2023-2025-1294)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1294 advisory. If the value passed to os.path.expandvars is user-controlled aperformance degradation is possible when expanding environmentvariables. CVE-2025-6075 Tenable has extracted the preceding description bloc...

Amazon Linux 2023 : glib2, glib2-devel, glib2-static (ALAS2023-2025-1311)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1311 advisory. A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the gescapeuristring function. If the string to escape contains a very large number of...

Amazon Linux 2023 : postgresql17, postgresql17-contrib, postgresql17-llvmjit (ALAS2023-2025-1300)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1300 advisory. Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE...

Amazon Linux 2023 : libsoup3, libsoup3-devel (ALAS2023-2025-1288)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1288 advisory. A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafte...

Amazon Linux 2023 : python3, python3-devel, python3-idle (ALAS2023-2025-1293)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1293 advisory. If the value passed to os.path.expandvars is user-controlled aperformance degradation is possible when expanding environmentvariables. CVE-2025-6075 Tenable has extracted the preceding description bloc...

Amazon Linux 2023 : openvpn, openvpn-devel (ALAS2023-2025-1312)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1312 advisory. HMAC verification check: fix incorrect memcmp call NOTE: https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 CVE-2025-13086 Tenable has extracted the preceding description block...

Amazon Linux 2023 : rsync, rsync-daemon (ALAS2023-2025-1302)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1302 advisory. A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least re...

Amazon Linux 2023 : exiv2, exiv2-devel, exiv2-libs (ALAS2023-2025-1296)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1296 advisory. Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier...

Amazon Linux 2023 : firefox (ALAS2023-2025-1305)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1305 advisory. A heap buffer over-read vulnerability exists in libpng's pngdoquantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palettelookup array boun...

Amazon Linux 2023 : libsoup, libsoup-devel (ALAS2023-2025-1310)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1310 advisory. A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 Unauthorized HTTP response containing ...

Amazon Linux 2023 : python3.13, python3.13-devel, python3.13-freethreading (ALAS2023-2025-1308)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1308 advisory. If the value passed to os.path.expandvars is user-controlled aperformance degradation is possible when expanding environmentvariables. CVE-2025-6075 Tenable has extracted the preceding description bloc...

Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2025-1309)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1309 advisory. If the value passed to os.path.expandvars is user-controlled aperformance degradation is possible when expanding environmentvariables. CVE-2025-6075 Tenable has extracted the preceding description bloc...

Amazon Linux 2023 : cni-plugins (ALAS2023-2025-1287)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1287 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL...

Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2025-1317)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1317 advisory. wcurl path traversal with percent-encoded slashes URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly...

Amazon Linux 2023 : aws-cfn-bootstrap (ALAS2023-2025-1303)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1303 advisory. Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to...

Medium: libpq

Issue Overview: Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using...

Amazon Linux 2 : linux-firmware, --advisory ALAS2-2025-3092 (ALAS-2025-3092)

The version of linux-firmware installed on the remote host is prior to 20200421-85.git78c0348. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3092 advisory. Improper isolation of shared resources on a system on a chip by a malicious local attacker with high...