Amazon Linux 2 : thunderbird (ALAS-2025-2896)

The version of thunderbird installed on the remote host is prior to 128.11.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2896 advisory. A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's deskto...

Amazon Linux 2 : kernel (ALAS-2025-2892)

The version of kernel installed on the remote host is prior to 4.14.311-233.529. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2892 advisory. In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix invalid address access in lookupre...

Important: libvpx

Issue Overview: Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Medium Duplicate: https://console.harmony.a2z.com/al-cve-eval/cve/TEMP-1106689-EC87F6 CVE-2025-528...

Medium: golang

Issue Overview: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. CVE-2025-4673 Affected Packages: golang Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix invalid address access in lookuprec when index is 0 CVE-2023-53075 In the Linux kernel, the following vulnerability has been resolved: ext4: fix task hung in ext4xattrdeleteinode CVE-2023-53089 In the...

Medium: aws-kinesis-agent

Issue Overview: Jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's JsonLocation.appendSourceDesc method allows up to 500 bytes of unintended...

Medium: python-requests

Issue Overview: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc...

Important: rclone

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Critical: ipa

Issue Overview: A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the krbCanonicalName for the admin account by default, allowing users to create services with the same canonical name as the REALM...

Medium: libblockdev

Issue Overview: LPE from allowactive to root in libblockdev via udisks CVE-2025-6019 Affected Packages: libblockdev Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run...

Medium: postgresql

Issue Overview: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5...

Medium: postgresql

Issue Overview: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5...

Medium: udisks2

Issue Overview: LPE from allowactive to root in libblockdev via udisks CVE-2025-6019 Affected Packages: udisks2 Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum...

Medium: qt5-qt3d

Issue Overview: A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to...

Important: libxml2

Issue Overview: A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. CVE-2025-6021 Affected Packages:...

Important: rclone

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Amazon Linux 2 : amazon-ecr-credential-helper (ALASDOCKER-2025-069)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.10.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2025-069 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size lin...

Amazon Linux 2 : runc (ALASDOCKER-2025-068)

The version of runc installed on the remote host is prior to 1.2.4-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2025-068 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF...

Amazon Linux 2 : kernel (ALASKERNEL-5.15-2025-076)

The version of kernel installed on the remote host is prior to 5.15.182-123.190. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2025-076 advisory. In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between...

Amazon Linux 2 : runc (ALASECS-2025-068)

The version of runc installed on the remote host is prior to 1.2.4-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2025-068 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF...