Important: rust

Issue Overview: RUSTSEC-2024-0006 NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html NOTE: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27 Affected Packages: rust Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section f...

Medium: postgresql

Issue Overview: A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. CVE-2021-23222 Affected Packages: postgresql Note: This advisory is applicable to Amazon Linux 2 - Postgresql14 Extra. Visit...

Important: aws-nitro-enclaves-cli

Issue Overview: RUSTSEC-2024-0006 NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html NOTE: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27 Affected Packages: aws-nitro-enclaves-cli Note: This advisory is applicable to Amazon Linux 2 - Nitro-enclaves Extra. Vis...

Medium: xerces-c

Issue Overview: Apache issued this CVE to indicate the correct versions of xerces-c, which included the fix for CVE-2018-1311. See the older CVE page for fix status. CVE-2024-23807 Affected Packages: xerces-c Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ...

Medium: wpa_supplicant

Issue Overview: wpasupplicant: potential authorization bypass CVE-2023-52160 Affected Packages: wpasupplicant Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum...

Important: unbound

Issue Overview: Certain DNSSEC aspects of the DNS protocol in RFC 4035 and related RFCs allow remote attackers to cause a denial of service CPU consumption via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue. The protocol specification...

Important: shim

Issue Overview: A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive...

Important: sudo

Issue Overview: In sudo-1.8.23-10.amzn2.3.6 Amazon Linux 2 and sudo-1.8.23-10.58.amzn1 Amazon Linux 1, a user with an entry in the sudoers file, enabling them to run commands as another unprivileged user, can leverage it to run commands as root. No prior versions are affected. This issue has been...

Low: containerd

Issue Overview: Containerd is not affected by CVE-2023-39325. While it contains the affected module, it does not use it in a way that exposes users to CVE-2023-39325. Affected Packages: containerd Note: This advisory is applicable to Amazon Linux 2 - Docker Extra. Visit this page to learn more...

Important: runc

Issue Overview: AWS is aware of CVE-2024-21626, an issue affecting the runc component of several open source container management systems. Under certain conditions, an actor could leverage a specially crafted container or container configuration to access files or directories outside the...

Medium: jetty

Issue Overview: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reje...

Medium: woodstox-core

Issue Overview: Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks DOS if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial o...

Medium: nss-softokn

Issue Overview: Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox 121. CVE-2023-6135 Affected Packages: nss-softokn Note: This advisory is applicable...

Important: gstreamer1-plugins-bad-free

Issue Overview: GStreamer-SA-2024-0001: AV1 codec parser potential buffer overflow during tile list parsing NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/mergerequests/5970 NOTE: Fixed by:...

Medium: unbound

Issue Overview: NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation...

Medium: squid

Issue Overview: Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error page...

Medium: vim

Issue Overview: Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive :s call causes free-ing of memory...

Low: sudo

Issue Overview: No CVE associated with this advisory Affected Packages: sudo Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update sudo or yum update --advisor...

Important: squid

Issue Overview: Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remot...

Important: kernel

Issue Overview: An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 netfilter: nftables: Reject tables of unsupported family; While creating a new netfilter table, lack of a safeguard against invalid nftables family pf values within nftablesnewtable...