Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2025-009 (ALASNGINX1-2025-009)

The version of nginx installed on the remote host is prior to 1.28.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2NGINX1-2025-009 advisory. NGINX Open Source and NGINX Plus have a vulnerability in the ngxmailsmtpmodule that might allow an unauthenticated attacker to...

Amazon Linux 2 : edk2 (ALAS-2025-2975)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2975 advisory. EDK2 contains a vulnerability in BIOS where an attacker may cause Protection Mechanism Failure by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impa...

Amazon Linux 2 : webkitgtk4 (ALAS-2025-2970)

The version of webkitgtk4 installed on the remote host is prior to 2.48.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2970 advisory. A cookie management issue was addressed with improved state management. This issue is fixed in watchOS 11, macOS Sequo...

Important: python3

Issue Overview: There is a defect in the CPython "tarfile" module affecting the "TarFile" extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously...

Important: kernel-livepatch-5.10.237-230.949

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: dma-buf/dma-resv: check if the new fence is really later CVE-2022-49935 Affected Packages: kernel-livepatch-5.10.237-230.949 Issue Correction: Please ensure you have live patching enabled. Run yum update...

Amazon Linux 2 : python (ALAS-2025-2961)

The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2961 advisory. There is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration APIs. The tar implementation...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2025-097)

The version of kernel installed on the remote host is prior to 5.10.238-234.956. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2025-097 advisory. In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: fix -anonvma race...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.15-2025-087 (ALASKERNEL-5.15-2025-087)

The version of kernel installed on the remote host is prior to 5.15.189-131.206. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2025-087 advisory. In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.4-2025-106 (ALASKERNEL-5.4-2025-106)

The version of kernel installed on the remote host is prior to 5.4.296-217.427. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2025-106 advisory. In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.10-2025-101 (ALASKERNEL-5.10-2025-101)

The version of kernel installed on the remote host is prior to 5.10.240-238.959. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2025-101 advisory. In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in...

Medium: ruby

Issue Overview: The attack vector is a potential Denial of Service DoS. The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in devparseheaderprotocol when skb-dev is null CVE-2022-50073 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix a server shutdown leak CVE-2023-53131 ...

Low: kernel

Issue Overview: No CVE associated with this advisory Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.10 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories...

Important: unbound

Issue Overview: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet ECS. Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along wit...

Medium: thunderbird

Issue Overview: There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVE-2025-6965 Affected Packages:...

Medium: libvpx

Issue Overview: VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. CVE-2023-44488 A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx. ...

Medium: php

Issue Overview: fsockopen doesn't regard hostname as well, hostname is terminated at the null byte. This can cause Server Side Request Forgery in general case. CVE-2025-1220 Missing error checking could result in SQL injection and missing error handling could lead to crashes due to null pointer...

Important: gdk-pixbuf2

Issue Overview: In GNOME GdkPixbuf aka gdk-pixbuf through 2.42.10, the ANI Windows animated cursor decoder encounters heap memory corruption in aniloadchunk in io-ani.c when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a deni...

Low: kernel

Issue Overview: No CVE associated with this advisory Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.15 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories...

Medium: jackson

Issue Overview: jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth...