Amazon Linux 2 : freerdp (ALAS-2019-1365)

FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvcmain.c, drdynvcprocesscapabilityrequest that can result in The RDP server can read the client's memory.. This attack appear to...

Amazon Linux AMI : glibc (ALAS-2019-1320)

In the GNU C Library aka glibc or libc6 through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the...

Amazon Linux AMI : blktrace (ALAS-2019-1319)

blktrace aka Block IO Tracing 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the devmapread function in btt/devmap.c because the device and devno arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file. CVE-2018-10689 C...

Amazon Linux 2 : rsyslog (ALAS-2019-1369)

A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.CVE-2018-16881 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

Amazon Linux 2 : ntp (ALAS-2019-1367)

The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under...

Amazon Linux 2 : python / python3 (ALAS-2019-1368)

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To header...

Amazon Linux AMI : golang (ALAS-2019-1321)

It was discovered that net/http through net/textproto in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or ...

Amazon Linux AMI : kernel (ALAS-2019-1322)

A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor,...

Medium: python, python3

Issue Overview: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on th...

Medium: rsyslog

Issue Overview: A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.CVE-2018-16881 Affected Packages: rsyslog Note: This advisory is applicable to Amazon Linux 2 AL...

Low: ntp

Issue Overview: The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code...

Amazon Linux AMI : microcode_ctl / kernel (ALAS-2019-1318)

This security update is only applicable to EC2 Bare Metal instance types using Intel processors. Intel has released microcode updates for certain Intel CPUs. After installing the updated microcodectl package, the microcode will be automatically activated on next boot. Improper conditions check in...

Amazon Linux 2 : microcode_ctl / kernel (ALAS-2019-1364)

This security update is only applicable to EC2 Bare Metal instance types using Intel processors. Intel has released microcode updates for certain Intel CPUs. After installing the updated microcodectl package, the microcode will be automatically activated on next boot. Improper conditions check in...

Amazon Linux 2 : spice-gtk (ALAS-2019-1363)

Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. CVE-2018-10893 C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux 2 : openssl (ALAS-2019-1362)

If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received...

Amazon Linux 2 : libvirt (ALAS-2019-1361)

A NULL pointer dereference flaw was discovered in libvirt in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service. CVE-2019-3840 C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux 2 : libevent (ALAS-2019-1359)

Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via 'insanely large inputs' to the 1 evbufferadd, 2...

Amazon Linux 2 : binutils (ALAS-2019-1358)

An issue was discovered in armpt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demanglearmhptemplate, demangleclassname, demanglefundtype, dotype, doarg,...

Amazon Linux 2 : libseccomp (ALAS-2019-1360)

libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators LT, GT, LE, GE, which might able to lead to bypassing seccomp filters and potential privilege escalations. CVE-2019-9893 C Tenable Network Security, Inc. The descriptive text and...

Medium: spice-gtk

Issue Overview: Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. CVE-2018-10893 Affected Packages: spice-gtk Note: This advisory is...