Amazon Linux 2 : glibc (ALAS-2024-2718)

The version of glibc installed on the remote host is prior to 2.26-64. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2718 advisory. glibc: null pointer dereferences after failed netgroup cache insertion CVE-2024-33600 Tenable has extracted the preceding description...

Amazon Linux 2 : kernel (ALASKERNEL-5.4-2024-088)

The version of kernel installed on the remote host is prior to 5.4.286-201.385. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2024-088 advisory. In the Linux kernel, the following vulnerability has been resolved: inet: inetdefrag: prevent sk release...

Amazon Linux 2 : dovecot (ALAS-2024-2719)

The version of dovecot installed on the remote host is prior to 2.2.36-6. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2719 advisory. Dovecot reports: A DoS is possible with a large number of address headers or abnormally large email headers. CVE-2024-23185 Tenabl...

Amazon Linux 2 : avahi (ALAS-2024-2704)

The version of avahi installed on the remote host is prior to 0.6.31-20. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2704 advisory. avahi: Avahi Wide-Area DNS Uses Constant Source Port CVE-2024-52615 avahi: Avahi Wide-Area DNS Predictable Transaction IDs...

Amazon Linux 2 : python-pip (ALAS-2024-2715)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2715 advisory. Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the sa...

Amazon Linux 2 : libxml2 (ALAS-2024-2717)

The version of libxml2 installed on the remote host is prior to 2.9.1-6. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2717 advisory. An issue was discovered in xmllint from libxml2 before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint...

Amazon Linux 2 : kernel (ALASKERNEL-5.15-2024-059)

The version of kernel installed on the remote host is prior to 5.15.173-118.169. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2024-059 advisory. In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential context UAFs...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-075)

The version of kernel installed on the remote host is prior to 5.10.214-202.855. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2024-075 advisory. 2025-01-21: CVE-2024-26878 was added to this advisory. 2025-01-21: CVE-2024-27388 was added to this...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-074)

The version of kernel installed on the remote host is prior to 5.10.230-223.885. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2024-074 advisory. In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have...

Amazon Linux 2 : gnome-shell (ALAS-2024-2714)

The version of gnome-shell installed on the remote host is prior to 3.28.3-34. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2714 advisory. In GNOME Shell through 45.7, a portal helper can be launched automatically without user confirmation based on network respons...

Amazon Linux 2 : edk2 (ALAS-2024-2722)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2722 advisory. A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. CVE-2021-28211 BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting...

Medium: gnome-shell

Issue Overview: In GNOME Shell through 45.7, a portal helper can be launched automatically without user confirmation based on network responses provided by an adversary e.g., an adversary who controls the local Wi-Fi network, and subsequently loads untrusted JavaScript code, which may lead to...

Medium: python-pip

Issue Overview: Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to th...

Medium: NetworkManager-libreswan

Issue Overview: A flaw was found in the libreswan client plugin for NetworkManager NetkworkManager-libreswan, where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special...

Medium: zziplib

Issue Overview: A Stack Buffer Overflow vulnerability in zziplibv 0.13.77 allows attackers to cause a denial of service via the zzipfetchdisktrailer function at /zzip/zip.c. CVE-2024-39134 Affected Packages: zziplib Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit th...

Important: flatpak

Issue Overview: A sandbox escape vulnerability was found in Flatpak due to a symlink-following issue when mounting persistent directories. This flaw allows a local user or attacker to craft a symbolic link that can bypass the intended restrictions, enabling access to and modification of files...

Important: ghostscript

Issue Overview: PS interpreter - check the type of the Pattern Implementation NOTE: https://bugs.ghostscript.com/showbug.cgi?id=707991 NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7d1362880673408a6fbe8719b4f8 NOTE:...

Medium: avahi

Issue Overview: avahi: Avahi Wide-Area DNS Uses Constant Source Port CVE-2024-52615 avahi: Avahi Wide-Area DNS Predictable Transaction IDs CVE-2024-52616 Affected Packages: avahi Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference...

Medium: apr

Issue Overview: Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APRUSESHMEMSHMGET=1 apr...

Low: opensc

Issue Overview: It is caused by the libopensc library in opensc porject. This vulnerability affects how the buffer data is handled and partially filled buffers can be accessed incorrectly when a specially crafted response to APDUs in a USB device or a smart card. CVE-2024-45615 It is caused by th...