Important: kernel-livepatch-5.10.234-225.917

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes CVE-2025-21991 Affected Packages: kernel-livepatch-5.10.234-225.917 Issue Correction: Please ensure you have live patching enabled. Run yum...

Amazon Linux 2 : kernel (ALASKERNEL-5.15-2025-077)

The version of kernel installed on the remote host is prior to 5.15.184-125.189. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2025-077 advisory. In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUGON when 0 reference...

Important: amazon-ecr-credential-helper

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Amazon Linux 2 : amazon-ecr-credential-helper (ALASECS-2025-069)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.10.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2025-069 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line...

Medium: qt

Issue Overview: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. CVE-2023-38197 Affected Packages: qt Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this F...

Medium: screen

Issue Overview: TTY Hijacking while Attaching to a Multiuser Session in the screen package Has potential to break some reattach use cases, but the specific use case was broken already before. screen in Debian not installed setuid or setgid DEBIANBUG: 1105191 Info:...

Important: python2-setuptools

Issue Overview: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the...

Medium: ghostscript

Issue Overview: gslibctxstashsanitizedarg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the case. A created PDF document includes its password in cleartext. CVE-2025-48708 Affected Packages: ghostscript Note: This advisory is applicable to Amazon Linux 2...

Important: python-setuptools

Issue Overview: setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the...

Amazon Linux 2 : amazon-ssm-agent (ALAS-2025-2883)

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.2299.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2883 advisory. SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which...

Medium: screen

Issue Overview: TTY Hijacking while Attaching to a Multiuser Session in the screen package Has potential to break some reattach use cases, but the specific use case was broken already before. screen in Debian not installed setuid or setgid DEBIANBUG: 1105191 Info:...

Medium: python-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume ...

Medium: python3-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume ...

Important: perl-File-Find-Rule

Issue Overview: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when grep encounters a crafted filename. A file handle is opened with the 2 argument form of open allowing an attacker controlled filename to provide the MODE parameter to open, turning the filename...

Medium: perl-FCGI

Issue Overview: FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 aka fcgi library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow and resultant heap-based buffer overflow via crafted nameLen or valueLen values in...

Amazon Linux 2 : python-setuptools (ALAS-2025-2876)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2876 advisory. setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version...

Amazon Linux 2 : python2-setuptools (ALAS-2025-2877)

The version of python2-setuptools installed on the remote host is prior to 41.2.0-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2877 advisory. setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path...

Medium: libtasn1

Issue Overview: When an input DER data contains a large number of SEQUENCE OF or SET OF elements, decoding the data and searching a specific element in it take quadratic time to complete. This could be utilized for a remote DoS attack by presenting a crafted certificate to the network peer...

Important: amazon-ssm-agent

Issue Overview: SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 Affected Packages:...

Important: libsoup

Issue Overview: A flaw was found in the soupmultipartnewfrommessage function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper...