Medium: vim

Issue Overview: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault SEGV exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.007...

Amazon Linux 2023 : python3.14, python3.14-devel, python3.14-freethreading (ALAS2023-2026-1556)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1556 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

Amazon Linux 2023 : mod_security_crs (ALAS2023-2026-1562)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1562 advisory. Whitespace padding in filenames bypasses file upload extension checks NOTE: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w CVE-2026-33691 Tenable has extracted the...

Amazon Linux 2023 : openexr, openexr-devel, openexr-libs (ALAS2023-2026-1561)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1561 advisory. OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B4...

Amazon Linux 2023 : below (ALAS2023-2026-1567)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1567 advisory. tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As par...

Important: python3.13

Issue Overview: The webbrowser.open API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open. CVE-2026-4519 Affected Packages:...

Important: python3.11

Issue Overview: The webbrowser.open API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open. CVE-2026-4519 Affected Packages:...

Important: dovecot

Issue Overview: Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm ht...

Amazon Linux 2023 : python3.13, python3.13-devel, python3.13-freethreading (ALAS2023-2026-1555)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1555 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

Amazon Linux 2023 : yq (ALAS2023-2026-1582)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1582 advisory. The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially...

Amazon Linux 2023 : cargo, clippy, rust (ALAS2023-2026-1568)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1568 advisory. A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most likely impact from a successful attack is to data integrity, by the...

Amazon Linux 2023 : freerdp, freerdp-devel, freerdp-libs (ALAS2023-2026-1549)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1549 advisory. DoS via WINPRASSERT in rtsreadauthverifiernochecks NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93 CVE-2026-33952 DoS via WINPRASSERT in IMA ADPCM audio decode...

Amazon Linux 2023 : plexus-utils, plexus-utils-javadoc (ALAS2023-2026-1545)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1545 advisory. Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus- utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute...

Amazon Linux 2023 : sudo, sudo-devel, sudo-logsrvd (ALAS2023-2026-1559)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1559 advisory. In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation...

Amazon Linux 2023 : polkit, polkit-devel, polkit-libs (ALAS2023-2026-1546)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1546 advisory. A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the polkit-agent-helper-1 setuid binary via standard input stdin. This unbounded...

Amazon Linux 2023 : corosync, corosync-vqsim, corosynclib (ALAS2023-2026-1560)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1560 advisory. A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially craft...

Amazon Linux 2023 : python3.12, python3.12-devel, python3.12-idle (ALAS2023-2026-1557)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1557 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

Amazon Linux 2023 : gstreamer1-plugins-good, gstreamer1-plugins-good-gtk (ALAS2023-2026-1579)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1579 advisory. An out-of-bounds read in the WAV parser that can cause crashes for certain input files. CVE-2026-1940 Tenable has extracted the preceding description block directly from the tested product security...

Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2026-1558)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1558 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

Amazon Linux 2023 : javapackages-bootstrap (ALAS2023-2026-1581)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1581 advisory. Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus- utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute...