Amazon Linux 2 : golang (ALAS-2024-2643)

The version of golang installed on the remote host is prior to 1.22.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2643 advisory. Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack...

Amazon Linux 2 : thunderbird (ALAS-2024-2640)

The version of thunderbird installed on the remote host is prior to 115.13.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2640 advisory. Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of...

Amazon Linux 2 : kernel (ALAS-2024-2642)

The version of kernel installed on the remote host is prior to 4.14.352-268.568. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2642 advisory. In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name...

Amazon Linux 2 : python-pillow (ALAS-2024-2648)

The version of python-pillow installed on the remote host is prior to 2.0.0-23.gitd1c6db8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2648 advisory. Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. CVE-2020-10177 Tenable has...

Medium: python-pillow

Issue Overview: Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. CVE-2020-10177 Affected Packages: python-pillow Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras...

Medium: xerces-j2

Issue Overview: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service CPU consumption via a crafted message to an XML service, which triggers hash table collisions. CVE-2012-0881 There's a vulnerability within the Apache Xerces Java XercesJ XML parser when...

Amazon Linux 2 : redis (ALASREDIS6-2024-010)

The version of redis installed on the remote host is prior to 6.2.14-2. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2REDIS6-2024-010 advisory. Denial-of-service due to unbounded pattern matching CVE-2024-31228 Lua library commands may be exploited by an...

Medium: python-dns

Issue Overview: eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name CVE-2024-39494 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between...

Amazon Linux 2 : postgresql (ALASPOSTGRESQL14-2024-012)

The version of postgresql installed on the remote host is prior to 14.13-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2POSTGRESQL14-2024-012 advisory. Time-of-check Time-of-use TOCTOU race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary...

Amazon Linux 2 : amazon-ecr-credential-helper (ALASDOCKER-2024-046)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.9.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2024-046 advisory. The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses...

Amazon Linux 2 : postgresql (ALASPOSTGRESQL12-2024-011)

The version of postgresql installed on the remote host is prior to 12.20-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2POSTGRESQL12-2024-011 advisory. Time-of-check Time-of-use TOCTOU race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.15-2024-055 (ALASKERNEL-5.15-2024-055)

The version of kernel installed on the remote host is prior to 5.15.167-112.165. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2024-055 advisory. In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix...

Amazon Linux 2 : amazon-ecr-credential-helper (ALASECS-2024-043)

The version of amazon-ecr-credential-helper installed on the remote host is prior to 0.9.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2024-043 advisory. The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses,...

Amazon Linux 2 : libpq (ALASPOSTGRESQL12-2024-012)

The version of libpq installed on the remote host is prior to 12.20-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2POSTGRESQL12-2024-012 advisory. Time-of-check Time-of-use TOCTOU race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary SQL...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.10-2024-071 (ALASKERNEL-5.10-2024-071)

The version of kernel installed on the remote host is prior to 5.10.225-213.878. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2024-071 advisory. In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.4-2024-086 (ALASKERNEL-5.4-2024-086)

The version of kernel installed on the remote host is prior to 5.4.284-196.380. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2024-086 advisory. In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's...

Important: golang

Issue Overview: Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. CVE-2024-34155 Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a...

Amazon Linux 2 : postgresql (ALASPOSTGRESQL13-2024-007)

The version of postgresql installed on the remote host is prior to 13.16-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2POSTGRESQL13-2024-007 advisory. Time-of-check Time-of-use TOCTOU race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.10-2024-070 (ALASKERNEL-5.10-2024-070)

The version of kernel installed on the remote host is prior to 5.10.226-214.879. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2024-070 advisory. In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free after...