Important: thunderbird

Issue Overview: Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run...

Amazon Linux 2 : glibc, --advisory ALAS2-2026-3272 (ALAS-2026-3272)

The version of glibc installed on the remote host is prior to 2.26-64. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3272 advisory. The iconv function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from t...

Amazon Linux 2023 : python3-jwcrypto (ALAS2023-2026-1590)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1590 advisory. JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression...

Amazon Linux 2023 : python3-pip, python3-pip-wheel (ALAS2023-2026-1589)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1589 advisory. When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation...

Amazon Linux 2023 : bpftool6.12, kernel6.12, kernel6.12-devel (ALAS2023-2026-1594)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1594 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers CVE-2025-39764 In the Linux kernel, the following...

Amazon Linux 2023 : openssh, openssh-clients, openssh-keycat (ALAS2023-2026-1604)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1604 advisory. In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O legacy scp protocol and...

Important: rclone

Issue Overview: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted...

Important: openssh

Issue Overview: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O legacy scp protocol and without -p preserve mode. CVE-2026-35385 Affected Packages: openssh Note: This...

Amazon Linux 2 : OpenEXR, --advisory ALAS2-2026-3267 (ALAS-2026-3267)

The version of OpenEXR installed on the remote host is prior to 1.7.1-8. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3267 advisory. OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1616)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1616 advisory. A flaw was found in zlib. An attacker providing specially crafted input to the crc32combine64 or crc32combinegen64 functions could trigger an infinite loop within the x2nmodp function. This leads to...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1608)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1608 advisory. A flaw was found in zlib. An attacker providing specially crafted input to the crc32combine64 or crc32combinegen64 functions could trigger an infinite loop within the x2nmodp function. This leads to...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1609)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1609 advisory. @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbound...

Low: nodejs22

Issue Overview: A flaw was found in zlib. An attacker providing specially crafted input to the crc32combine64 or crc32combinegen64 functions could trigger an infinite loop within the x2nmodp function. This leads to excessive CPU consumption, which can result in a Denial of Service DoS for the...

CLSA-2026-1777474126 rsync: Fix of 2 CVEs

CVE-2024-12086: prevent server from reading arbitrary client files via path traversal - CVE-2025-10158: fix invalid access to files array in sender - Add upstream stability fix RsyncProject/rsync PR 706: use-after-free in generator - Enable Amazon Linux 2 ELS...

CLSA-2026-1777469554 rsync: Fix of 2 CVEs

CVE-2024-12086: prevent server from reading arbitrary client files via path traversal - CVE-2025-10158: fix invalid access to files array in sender - Add upstream stability fix RsyncProject/rsync PR 706: use-after-free in generator - Enable Amazon Linux 2 ELS...

CLSA-2026-1777391919 glib2: Fix of CVE-2020-35457

CVE-2020-35457: add a precondition in goptiongroupaddentries to avoid a GOptionEntry list size overflow GMAXSIZE. Patch backported from amazon-linux-2els...

Amazon Linux 2 : perl-XML-Parser, --advisory ALAS2-2026-3230 (ALAS-2026-3230)

The version of perl-XML-Parser installed on the remote host is prior to 2.41-10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3230 advisory. XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption...

Amazon Linux 2 : gimp, --advisory ALAS2GIMP-2026-013 (ALASGIMP-2026-013)

The version of gimp installed on the remote host is prior to 2.8.22-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2GIMP-2026-013 advisory. A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP's PCX file loader due to an off- by-one error. A remote...

Amazon Linux 2 : libpng12, --advisory ALAS2-2026-3243 (ALAS-2026-3243)

The version of libpng12 installed on the remote host is prior to 1.2.50-10. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3243 advisory. LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raster ima...

Amazon Linux 2 : freerdp, --advisory ALAS2-2026-3239 (ALAS-2026-3239)

The version of freerdp installed on the remote host is prior to 2.11.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3239 advisory. FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occu...