Amazon Linux 2 : kernel (ALAS-2024-2525)

The version of kernel installed on the remote host is prior to 4.14.336-257.568. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2525 advisory. A Speculative Race Condition SRC vulnerability that impacts modern CPU architectures supporting speculative...

Amazon Linux 2 : ruby (ALAS-2024-2534)

The version of ruby installed on the remote host is prior to 2.0.0.648-36. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2534 advisory. An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PAS...

Amazon Linux 2 : wireshark (ALAS-2024-2522)

The version of wireshark installed on the remote host is prior to 2.6.2-15. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2522 advisory. T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted...

Amazon Linux 2 : mod_http2 (ALAS-2024-2524)

The version of modhttp2 installed on the remote host is prior to 1.15.19-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2524 advisory. HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413...

Amazon Linux 2 : curl (ALAS-2024-2531)

The version of curl installed on the remote host is prior to 8.3.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2531 advisory. This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more origins than what is otherwise...

Amazon Linux 2 : firefox (ALASFIREFOX-2024-024)

The version of firefox installed on the remote host is prior to 115.10.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2024-024 advisory. An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-054)

The version of kernel installed on the remote host is prior to 5.10.214-202.855. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2024-054 advisory. 2024-08-27: CVE-2024-26863 was added to this advisory. 2024-08-27: CVE-2023-52656 was added to this...

Amazon Linux 2 : httpd (ALAS-2024-2532)

The version of httpd installed on the remote host is prior to 2.4.59-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2532 advisory. Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP...

Amazon Linux 2 : kernel (ALASKERNEL-5.4-2024-063)

The version of kernel installed on the remote host is prior to 5.4.110-54.189. It is, therefore, affected by a vulnerability as referenced in the ALAS2KERNEL-5.4-2024-063 advisory. In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-055)

The version of kernel installed on the remote host is prior to 5.10.29-27.128. It is, therefore, affected by a vulnerability as referenced in the ALAS2KERNEL-5.10-2024-055 advisory. In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queuedwritelockslowpath CVE-2021-46921 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about Amazon...

Amazon Linux 2 : dnsmasq (ALASDNSMASQ-2024-002)

The version of dnsmasq installed on the remote host is prior to 2.90-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DNSMASQ-2024-002 advisory. Certain DNSSEC aspects of the DNS protocol in RFC 4035 and related RFCs allow remote attackers to cause a denial of...

Medium: python3

Issue Overview: An issue was found in the CPython zipfile module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed...

Medium: libvirt

Issue Overview: An off-by-one error flaw was found in the udevListInterfacesByStatus function in libvirt when the number of interfaces exceeds the size of the names array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to...

Important: tomcat

Issue Overview: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option...

Amazon Linux 2 : tigervnc (ALAS-2024-2510)

The version of tigervnc installed on the remote host is prior to 1.8.0-24. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2510 advisory. A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents function. This issue...

Amazon Linux 2 : xorg-x11-server (ALAS-2024-2511)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2511 advisory. A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents function. This issue occurs when byte-swapped length values are used in replies, potentially...

Important: glib2

Issue Overview: GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in goptiongroupaddentries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a...

Amazon Linux 2 : webkitgtk4 (ALAS-2024-2516)

The version of webkitgtk4 installed on the remote host is prior to 2.42.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2516 advisory. The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, iOS 17.2 and iPadOS 17.2,...

Medium: webkitgtk4

Issue Overview: The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2. Processing web content may lead to a denial-of-service. CVE-2023-42956 A logic issue was addressed with improved validation. This issue is fixed ...