Amazon Linux 2 : ipa (ALAS-2024-2585)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2585 advisory. A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client's session key. This key is different for each new session, which protects it from brute force attacks...

Amazon Linux 2 : kernel (ALAS-2024-2589)

The version of kernel installed on the remote host is prior to 4.14.348-265.565. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2589 advisory. In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown CVE-2021-47110 In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well CVE-2021-47112 Affected...

Important: pki-core

Issue Overview: A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to...

Amazon Linux 2 : kernel (ALASKERNEL-5.4-2024-074)

The version of kernel installed on the remote host is prior to 5.4.277-190.375. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2024-074 advisory. In the Linux kernel, the following vulnerability has been resolved: ext4: fix bugon in estreesearch...

Amazon Linux 2 : firefox (ALASFIREFOX-2024-026)

The version of firefox installed on the remote host is prior to 115.12.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2024-026 advisory. RESERVEDNOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-30/CVE-2022-2205 CVE-2022-2205 An attack...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-063)

The version of kernel installed on the remote host is prior to 5.10.219-208.866. It is, therefore, affected by a vulnerability as referenced in the ALAS2KERNEL-5.10-2024-063 advisory. In the Linux kernel, the following vulnerability has been resolved: net: fix dstnegativeadvice race CVE-2024-3697...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: net: fix dstnegativeadvice race CVE-2024-36971 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.10 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and...

Amazon Linux 2 : unbound (ALASUNBOUND-1.17-2024-002)

The version of unbound installed on the remote host is prior to 1.17.0-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2UNBOUND-1.17-2024-002 advisory. A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound gro...

Important: unbound

Issue Overview: A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw...

Important: libndp

Issue Overview: A vulnerability was found in libndp. A buffer overflow in NetworkManager that can be triggered by sending a malformed IPv6 router advertisement packet via malicious user locally. This happens as libndp was not validating correctly the route length information and hence leading to ...

Amazon Linux 2 : booth (ALAS-2024-2575)

The version of booth installed on the remote host is prior to 1.0-8.ef769ef.git. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2575 advisory. A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcrymdgetalgodlen, it may all...

Amazon Linux 2 : golang (ALAS-2024-2576)

The version of golang installed on the remote host is prior to 1.22.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2576 advisory. The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip...

Amazon Linux 2 : kernel (ALAS-2024-2581)

The version of kernel installed on the remote host is prior to 4.14.348-265.562. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2581 advisory. An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x8664 lacks...

Medium: dnsmasq

Issue Overview: dnsmasq 2.9 is vulnerable to Integer Overflow via forwardquery. CVE-2023-49441 Affected Packages: dnsmasq Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction...

Medium: python3-jinja2

Issue Overview: Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application...

Medium: golang

Issue Overview: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.4-2024-072 (ALASKERNEL-5.4-2024-072)

The version of kernel installed on the remote host is prior to 5.4.261-174.360. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2024-072 advisory. In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after...

Amazon Linux 2 : dnsmasq (ALAS-2024-2580)

The version of dnsmasq installed on the remote host is prior to 2.76-16. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2580 advisory. dnsmasq 2.9 is vulnerable to Integer Overflow via forwardquery. CVE-2023-49441 Tenable has extracted the preceding description bloc...

Medium: python-jinja2

Issue Overview: Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application...