Important: python3

Issue Overview: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding with an incorrect netloc during NFKC normalization. The impact is: Information disclosure credentials, cookies, etc. that are cached against a given hostname. The components are...

Amazon Linux 2 : mod_http2 (ALAS-2019-1197)

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 modhttp2 connections.CVE-2018-17189 C Tenable Network...

Amazon Linux 2 : thunderbird (ALAS-2019-1195)

When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration PAC file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is...

Amazon Linux 2 : openwsman (ALAS-2019-1196)

Earlier versions of Openwsman are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server. CVE-2019-3816 ...

Amazon Linux 2 : libjpeg-turbo (ALAS-2019-1198)

A divide by zero vulnerability has been discovered in libjpeg-turbo in allocsarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file.CVE-2018-11212 C Tenable Network Security, Inc. The descriptive text and package checks in this...

Amazon Linux 2 : libssh2 (ALAS-2019-1199)

An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.CVE-2019-3856 An integ...

Amazon Linux AMI : wget (ALAS-2019-1194)

A buffer overflow vulnerability was found in GNU Wget. An attacker may be able to cause a denial-of-service DoS or may execute an arbitrary code. CVE-2019-5953 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security...

Amazon Linux AMI : fuse (ALAS-2018-1123)

A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the 'allowother' mount option regardless of whether 'userallowother' is set in the fuse configuration. An attacker may use...

Amazon Linux 2 : freerdp (ALAS-2019-1191)

FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nscrledecode that results in a memory corruption and possibly even a remote code execution.CVE-2018-8788 FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffe...

Amazon Linux 2 : openssl (ALAS-2019-1188)

A microprocessor side-channel vulnerability was found on SMT e.g, Hyper-Threading architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.CVE-2018-5407 If an application encounters a fatal protocol error...

Amazon Linux 2 : mariadb (ALAS-2019-1193)

The crc32big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.CVE-2016-9843 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Storage Engines. Supported versions th...

Amazon Linux 2 : tomcat (ALAS-2019-1192)

When the default servlet in Apache Tomcat returned a redirect to a directory e.g. redirecting to '/foo/' when the user requested '/foo' a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.CVE-2018-11784 C Tenable Network Security, Inc. Th...

Amazon Linux 2 : httpd (ALAS-2019-1189)

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of the parent process usually root by manipulating the scoreboar...

Amazon Linux 2 : bind (ALAS-2019-1187)

To provide fine-grained controls over the ability to use Dynamic DNS DDNS to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update...

Amazon Linux AMI : httpd24 (ALAS-2019-1189)

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of the parent process usually root by manipulating the scoreboar...

Amazon Linux AMI : bind (ALAS-2019-1187)

To provide fine-grained controls over the ability to use Dynamic DNS DDNS to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update...

Medium: mariadb

Issue Overview: The crc32big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.CVE-2016-9843 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Storage Engines...

Amazon Linux 2 : filesystem (ALAS-2019-1190)

Images built for the Amazon Linux 2.0.20190313 release included system files with incorrect permissions applied. Incorrect permissions were applied to the following file : /etc/shadow All users should upgrade to this updated package which corrects permissions for these files if they are not alrea...

Important: filesystem

Issue Overview: Images built for the Amazon Linux 2.0.20190313 release included system files with incorrect permissions applied. Incorrect permissions were applied to the following file: /etc/shadow All users should upgrade to this updated package which corrects permissions for these files if the...

Important: freerdp

Issue Overview: FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nscrledecode that results in a memory corruption and possibly even a remote code execution.CVE-2018-8788 FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a...