Low: glib2

Issue Overview: No CVE associated with this advisory Affected Packages: glib2 Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update glib2 or yum update...

Amazon Linux AMI : exim (ALAS-2019-1277)

Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.CVE-2019-15846 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2019-1277. include'compat.inc'; ...

Amazon Linux AMI : poppler (ALAS-2019-1271)

XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service NULL pointer dereference via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.CVE-2018-20481 In Poppl...

Amazon Linux 2 : libvirt (ALAS-2019-1274) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)

Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVE-2019-11091 Modern Intel microprocessors implement hardware-level micro-optimizations to improve the...

Amazon Linux AMI : golang (ALAS-2019-1270) (Ping Flood) (Reset Flood)

net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname nor Port, and is related to a non-numeric port number. For example, an...

Amazon Linux 2 : pacemaker (ALAS-2019-1275)

A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS. CVE-2018-16878 A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs. CVE-2019-3885 A flaw was...

Amazon Linux 2 : golang (ALAS-2019-1272) (Ping Flood) (Reset Flood)

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU,...

Amazon Linux 2 : edk2 (ALAS-2019-1273)

Logic error in FV parsing in MdeModulePkg\Core\Pei\FwVol\FwVol.c CVE-2018-3630 Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access...

Important: golang

Issue Overview: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume...

Important: libvirt

Issue Overview: Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVE-2019-11091 Modern Intel microprocessors implement hardware-level micro-optimizations to...

Amazon Linux AMI : ruby20 / ruby21, ruby24 (ALAS-2019-1255)

An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.CVE-2019-8322 An issue was discovered in RubyGems. Gem::GemcutterUtilitieswithresponse may output the...

Amazon Linux AMI : glib2 (ALAS-2019-1256)

filecopyfallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.CVE-2019-12450 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon...

Amazon Linux AMI : qemu-kvm (ALAS-2019-1260) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)

Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA STore Address and STD STore Data sub-operations. These sub-operations allow the processor to hand-off address generation...

Amazon Linux AMI : python34 / python35,python36 (ALAS-2019-1259)

A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies,...

Amazon Linux AMI : GraphicsMagick (ALAS-2019-1257)

GraphicsMagick is now participating in Google's oss-fuzz project due to the contributions and assistance of Alex Gaynor. Since February 4 2018, 343 issues have been opened by oss-fuzz and 331 of those issues have been resolved. The issues list is available at...

Amazon Linux AMI : libssh2 (ALAS-2019-1254)

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.CVE-2019-3855 An integer...

Amazon Linux AMI : python27 (ALAS-2019-1258)

A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies,...

Amazon Linux AMI : lighttpd (ALAS-2019-1265)

An issue was discovered in modaliasphysicalhandler in modalias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific modalias configuration where the matched alias lacks a trailing '/' character, but the alias target...

Amazon Linux AMI : 389-ds-base (ALAS-2019-1261)

1693612 : 389-ds-base: DoS via hanging secured connections It was found that encrypted connections did not honor the 'ioblocktimeout' parameter to end blocking requests. As a result, an unauthenticated attacker could repeatedly start a sufficient number of encrypted connections to block all...

Amazon Linux 2 : mod_http2 (ALAS-2019-1264)

A vulnerability was found in Apache HTTP Server 2.4. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly. CVE-2019-0196 C Tenable Network Security, Inc...