Amazon Linux 2 : python (ALAS-2019-1230)

A NULL pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accep...

Amazon Linux AMI : python27 (ALAS-2019-1230)

Python 2.7.x through 2.7.16 is affected by: Improper Handling of Unicode Encoding with an incorrect netloc during NFKC normalization. The impact is: Information disclosure credentials, cookies, etc. that are cached against a given hostname. The components are: urllib.parse.urlsplit,...

Amazon Linux AMI : kernel (ALAS-2019-1222) (SACK Panic) (SACK Slowness)

CVE-2019-11477 , CVE-2019-11478 and CVE-2019-11479 describe vulnerabilities in the Linux kernel that can be remotely exploited using a specially crafted TCP connection, crashing the targeted system. The latest Amazon Linux AMIs as available in AWS EC2 already contain these kernels and are not...

Amazon Linux 2 : kernel (ALAS-2019-1222) (SACK Panic) (SACK Slowness)

CVE-2019-11477 , CVE-2019-11478 and CVE-2019-11479 describe vulnerabilities in the Linux kernel that can be remotely exploited using a specially crafted TCP connection, crashing the targeted system. The latest Amazon Linux 2 AMIs as available in AWS EC2 already contain these kernels and are not...

Amazon Linux 2 : wget (ALAS-2019-1227)

Buffer overflow in GNU Wget allows remote attackers to cause a denial-of-service DoS or may execute an arbitrary code via unspecified vectors. CVE-2019-5953 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux 2 Security Advisory...

Amazon Linux AMI : python-jinja2 (ALAS-2019-1223)

In Pallets Jinja, str.format allows a sandbox escape. CVE-2016-10745 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2019-1223. include'compat.inc'; if description scriptid125902; scriptversion"1.3...

Amazon Linux 2 : thunderbird (ALAS-2019-1229)

Mozilla: Buffer overflow in WebGL bufferdata on Linux CVE-2019-11693 Mozilla: Use-after-free in XMLHttpRequest CVE-2019-11691 Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulti...

Amazon Linux AMI : php71 / php72,php73 (ALAS-2019-1225)

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exifiifaddvalue function. This may lead to information disclosure or crash. CVE-2019-11035 When processing certain files, PHP...

Amazon Linux AMI : python-urllib3 (ALAS-2019-1224)

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext...

Amazon Linux 2 : libX11 (ALAS-2019-1226)

An off-by-one error has been discovered in libX11 in functions XGetFontPath, XListExtensions, and XListFonts. An attacker who can either configure a malicious X server or modify the data coming from one could use this flaw to make the program crash or have other unspecified effects, caused by the...

Critical: kernel

Issue Overview: CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 describe vulnerabilities in the Linux kernel that can be remotely exploited using a specially crafted TCP connection, crashing the targeted system. The latest Amazon Linux 2 AMIs as available in AWS EC2 already contain these kernel...

Important: python-jinja2

Issue Overview: In Pallets Jinja, str.format allows a sandbox escape. CVE-2016-10745 Affected Packages: python-jinja2 Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Ru...

Amazon Linux AMI : exim (ALAS-2019-1221)

A flaw was found in Exim versions 4.87 to 4.91 before release 1.20 inclusive. Improper validation of recipient address in delivermessage function in /src/deliver.c may lead to remote command execution. CVE-2019-10149 C Tenable Network Security, Inc. The descriptive text and package checks in this...

Amazon Linux 2 : poppler (ALAS-2019-1217)

There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h. A crafted input will lead to a remote denial of service attack. Poppler versions later than 0.41.0 are not affected.CVE-2018-10768 The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler allows...

Amazon Linux 2 : libxml2 (ALAS-2019-1220)

A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information.CVE-2015-8242 A denial of service flaw was found in...

Amazon Linux AMI : python36 (ALAS-2019-1204)

Python is affected by improper Handling of Unicode Encoding with an incorrect netloc during NFKC normalization. The impact is: Information disclosure credentials, cookies, etc. that are cached against a given hostname. The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack...

Amazon Linux 2 : freeradius (ALAS-2019-1218)

FreeRADIUS mishandles the 'each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used' protection mechanism, aka a 'Dragonblood' issue, a similar issue to CVE-2019-9498 and CVE-2019-9499 .CVE-2019-11235...

Amazon Linux 2 : flatpak (ALAS-2019-1219)

Flatpak allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox...

Amazon Linux 2 : openssh (ALAS-2019-1216)

An issue was discovered in OpenSSH. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned only directory traversal attacks are prevented. A...

Medium: libxml2

Issue Overview: A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information.CVE-2015-8242 A denial of service flaw w...