Medium: libsndfile

Issue Overview: An off-by-one error in function wavreadheader in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts. CVE-2022-33064 Affected Packages: libsndfile Issue Correction: Run d...

Advisory ROSA-SA-2024-2377

software: cups 2.3.3op2 OS: ROSA-CHROME packageevrstring: cups-2.3.3.3op2-7.src.rpm CVE-ID: CVE-2022-26691 BDU-ID: 2022-04718 CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in the CUPS print server is related to flaws in the authorization procedure. Exploitation of the vulnerability could allow an...

Advisory ROSA-SA-2024-2376

Software: dav1d 1.3.0 AXIS: ROSA-CHROME packageevrstring: dav1d-1.3.0-1.src.rpm CVE-ID: CVE-2023-32570 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: VideoLAN dav1d has a threadtask.c race condition that could cause an application crash associated with dav1ddecodeframeexit. CVE-STATUS: Fixed CVE-REV: T...

ROS-2-1573

2.1573 Vulnerability in Mozilla Firefox browser CVE-2021-29967 1. Vulnerability description: Vulnerability in the Mozilla Firefox browser that allows an attacker to execute arbitrary code on the target system.Identifier of the Information Security Threats Data Bank of the FSTEC of Russia : 2...

Low: openssl-snapsafe

Issue Overview: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack The package openssl098e is provided purely for binary compatibility with older Amazon Linux versions. It does not receive security updates. CVE-2024-0727 Affect...

Important: dotnet6.0

Issue Overview: .NET Denial of Service Vulnerability CVE-2024-20672 .NET Denial of Service Vulnerability CVE-2024-21386 .NET Denial of Service Vulnerability CVE-2024-21404 Affected Packages: dotnet6.0 Issue Correction: Run dnf update dotnet6.0 --releasever 2023.3.20240304 or dnf update --advisory...

Medium: ncurses

Issue Overview: ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/libtermcap.c. CVE-2023-45918 Affected Packages: ncurses Issue Correction: Run dnf update ncurses --releasever 2023.3.20240304 to update your system. New Packages: aarch64: ...

Advisory ROSA-SA-2024-2363

Software: modwsgi 4.6.4 OS: ROSA Virtualization 2.1 packageevrstring: modwsgi-4.6.4-4.rv3.1c CVE-ID: CVE-2022-2255 BDU-ID: 2022-05209 CVE-Crit: MEDIUM. CVE-DESC.: A vulnerability in the modwsgi module of the Apache web server is related to errors in the processing of the X-Client-IP header...

Low: containerd

Issue Overview: Containerd is not affected by CVE-2023-39325. While it contains the affected module, it does not use it in a way that exposes users to CVE-2023-39325. Affected Packages: containerd Note: This advisory is applicable to Amazon Linux 2 - Docker Extra. Visit this page to learn more...

Important: gstreamer1-plugins-bad-free

Issue Overview: GStreamer-SA-2024-0001: AV1 codec parser potential buffer overflow during tile list parsing NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/mergerequests/5970 NOTE: Fixed by:...

Medium: vim

Issue Overview: Vim before 9.0.2142 has a stack-based buffer overflow because didsetlangmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 Affected Packages: vim Issue Correction: Run dnf update vim --releasever...

Advisory ROSA-SA-2024-2339

Software: libtirpc 1.1.4 OS: ROSA Virtualization 2.1 packageevrstring: libtirpc-1.1.4-8.rv3.src.rpm CVE-ID: CVE-2021-46828 BDU-ID: None CVE-Crit: HIGH CVE-DESC.: In libtirpc, remote attackers could exhaust the file descriptors of a process using libtirpc because idle TCP connections are not handl...

Important: runc

Issue Overview: AWS is aware of CVE-2024-21626, an issue affecting the runc component of several open source container management systems. Under certain conditions, an actor could leverage a specially crafted container or container configuration to access files or directories outside the...

Low: containerd

Issue Overview: No CVE associated with this advisory Affected Packages: containerd Note: This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras...

Advisory ROSA-SA-2024-2320

software: cups 2.3.3op2 OS: ROSA-CHROME packageevrstring: cups-2.3.3.3op2-6.src.rpm CVE-ID: CVE-2023-4504 BDU-ID: 2023-06408 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the scanps function of the CUPS print server libppd library is related to an operation exceeding buffer boundaries in memory wh...

Medium: gstreamer-plugins-base

Issue Overview: A flaw was found in gstreamer-plugins-base where an out-of-bounds read when handling certain ID3v2 tags is possible. The highest threat from this vulnerability is to system availability. CVE-2021-3522 Affected Packages: gstreamer-plugins-base Note: This advisory is applicable to...

Low: libpq

Issue Overview: No CVE associated with this advisory Affected Packages: libpq Note: This advisory is applicable to Amazon Linux 2 - Postgresql12 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories...

Medium: p7zip

Issue Overview: p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCdbool at CPP/7zip/Archive/Zip/ZipIn.cpp. CVE-2022-47069 Affected Packages: p7zip Issue Correction: Run dnf update p7zip --releasever 2023.3.20240108 to upda...

Medium: ecs-init

Issue Overview: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 Affected Packages: ecs-init Issue Correction: Run dnf update ecs-init --releasever 2023.3.20240108 to update you...

Advisory ROSA-SA-2023-2316

Software: libgcrypt 1.8.5 OS: ROSA Virtualization 2.1 packageevrstring: libgcrypt-1.8.5-7.rv3.src.rpm CVE-ID: CVE-2021-40528 BDU-ID: 2022-00593 CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in the Libgcrypt cryptographic library is related to the use of a weak cryptographic algorithm. Exploitation ...