Amazon Linux 2 : git (ALAS-2018-1035)

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.CVE-2018-11233 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4...

Amazon Linux 2 : thunderbird (ALAS-2018-1032)

The following CVEs are fixed in the updated thunderbird package : CVE-2018-5161 : Hang via malformed headers CVE-2018-5162 : Encrypted mail leaks plaintext through src attribute CVE-2018-5183 : Backport critical security fixes in Skia CVE-2018-5155 : Use-after-free with SVG animations and text...

Amazon Linux 2 : procps-ng (ALAS-2018-1031)

Multiple integer overflows leading to heap corruption flaws were discovered in file2strvec. These vulnerabilities can lead to privilege escalation for a local attacker who can create entries in procfs by starting processes, which will lead to crashes or arbitrary code execution in proc utilities...

Amazon Linux 2 : 389-ds-base (ALAS-2018-1036)

It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial...

Important: 389-ds-base

Issue Overview: It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus...

Important: java-1.7.0-openjdk

Issue Overview: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions a commonly used performance optimization. It relies on the presence of a precisely-defined instruction sequence in the privileged code...

Low: xdg-user-dirs

Issue Overview: It was found that the system umask policy is not being honored when creating XDG user directories /Desktop etc on first login. This could lead to user's files being inadvertently exposed to other local users.CVE-2017-15131 Affected Packages: xdg-user-dirs Note: This advisory is...

Critical: thunderbird

Issue Overview: The following CVEs are fixed in the updated thunderbird package: CVE-2018-5161: Hang via malformed headers CVE-2018-5162: Encrypted mail leaks plaintext through src attribute CVE-2018-5183: Backport critical security fixes in Skia CVE-2018-5155: Use-after-free with SVG animations...

Important: curl

Issue Overview: Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command...

Important: qemu-kvm

Issue Overview: An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator QEMU. It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulti...

Important: git

Issue Overview: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.CVE-2018-11233 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16...

Amazon Linux 2 : nghttp2 (ALAS-2018-1020)

nghttp2 version = 1.10.0 and nghttp2 = 1.31.1. CVE-2018-1000168 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux 2 Security Advisory ALAS-2018-1020. include'compat.inc'; if description scriptid110193; scriptversion"1.4";...

Amazon Linux 2 : dhcp (ALAS-2018-1021)

Command injection vulnerability in the DHCP client NetworkManager integration script : A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHC...

Amazon Linux 2 : ghostscript (ALAS-2018-1022)

The settextdistance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service application crash or possibly have unspecified other impac...

Important: kernel

Issue Overview: A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. CVE-2018-1108 A flaw was found in the way the Linux kernel handled exceptions...

Critical: dhcp

Issue Overview: Command injection vulnerability in the DHCP client NetworkManager integration script: A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network ab...

Amazon Linux 2 : java-1.7.0-openjdk (ALAS-2018-1007)

Unbounded memory allocation during deserialization in NamedNodeMapImpl JAXP, 8189993 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: JAXP. Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit:...

Amazon Linux 2 : libvncserver (ALAS-2018-1012)

Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly...

Amazon Linux 2 : golang (ALAS-2018-1011)

Arbitrary code execution during go get or go get -d Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git...

Amazon Linux 2 : krb5 (ALAS-2018-1010)

Authentication bypass by improper validation of certificate EKU and SAN An authentication bypass flaw was found in the way krb5's certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate...