Important: gstreamer1-plugins-good

Issue Overview: GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream-samples to accommodate stream-nsamples + samplescount elements of type QtDemuxSample. The problem is that samplescount is read from the...

Medium: python

Issue Overview: CPython 3.9 and earlier doesn't disallow configuring an empty list for SSLContext.setnpnprotocols which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used see CVE-2024-5535 for OpenSSL. This vulnerability is of low severity due ...

Amazon Linux 2 : python3 (ALAS-2025-2743)

The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2743 advisory. CPython 3.9 and earlier doesn't disallow configuring an empty list for SSLContext.setnpnprotocols which is an invalid value for th...

Amazon Linux 2 : kernel (ALAS-2025-2752)

The version of kernel installed on the remote host is prior to 4.14.256-197.484. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2752 advisory. A flaw use-after-free in function scosocksendmsg of the Linux kernel HCI subsystem was found in the way user calls...

Medium: edk2

Issue Overview: Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring...

Amazon Linux 2 : gstreamer1 (ALAS-2025-2746)

The version of gstreamer1 installed on the remote host is prior to 1.18.4-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2746 advisory. GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the...

Amazon Linux 2 : kernel (ALASKERNEL-5.4-2025-092)

The version of kernel installed on the remote host is prior to 5.4.289-204.398. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2025-092 advisory. Placeholder CVE. Details forthcoming CVE-2024-10929 In the Linux kernel, the following vulnerability has...

Medium: java-17-amazon-corretto

Issue Overview: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13,...

Amazon Linux 2 : kernel (ALAS-2025-2745)

The version of kernel installed on the remote host is prior to 4.14.355-275.582. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2745 advisory. In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in...

Important: kernel

Issue Overview: Placeholder CVE. Details forthcoming CVE-2024-10929 In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args CVE-2024-50067 In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Additiona...

Important: kernel

Issue Overview: A flaw use-after-free in function scosocksendmsg of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIOREGISTER or other way triggers race condition of the call scoconndel together with the call scosocksendmsg with the expected controllable faulting memory...

Amazon Linux 2 : java-17-amazon-corretto (ALAS-2025-2740)

The version of java-17-amazon-corretto installed on the remote host is prior to 17.0.14+7-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2740 advisory. Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracl...

Amazon Linux 2 : qemu (ALAS-2025-2742)

The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2742 advisory. A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM...

Amazon Linux 2 : bind (ALAS-2025-2751)

The version of bind installed on the remote host is prior to 9.11.4-26.P2. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2751 advisory. It is possible to construct a zone such that some queries to it will generate responses containing numerous records in t...

Amazon Linux 2 : python (ALAS-2025-2744)

The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2744 advisory. CPython 3.9 and earlier doesn't disallow configuring an empty list for SSLContext.setnpnprotocols which is an invalid value for the...

Amazon Linux 2 : java-11-amazon-corretto (ALAS-2025-2741)

The version of java-11-amazon-corretto installed on the remote host is prior to 11.0.26+4-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2741 advisory. Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracl...

Amazon Linux 2 : nerdctl (ALAS-2025-2749)

The version of nerdctl installed on the remote host is prior to 2.0.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2749 advisory. Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization...

Important: iperf3

Issue Overview: iperf v3.17.1 was discovered to contain a segmentation violation via the iperfexchangeparameters function. CVE-2024-53580 Affected Packages: iperf3 Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core a...

Medium: perl-Module-ScanDeps

Issue Overview: Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by opening a "pesky pipe" such as passing "commands|" as a filename or by passing arbitrary strings to eval...

Important: postgresql

Issue Overview: Time-of-check Time-of-use TOCTOU race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pgdump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack...