Amazon Linux AMI : php72 (ALAS-2018-1067)

exifprocessIFDinMAKERNOTE in ext/exif/exif.c in PHP 7.2.x before 7.2.8 allows remote attackers to cause a denial of service out-of-bounds read and application crash via a crafted JPEG file.CVE-2018-14851 exifreadfromimpl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a...

Amazon Linux AMI : mysql55 (ALAS-2018-1068)

Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Options. Supported versions that are affected are 5.5.60 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successfu...

Amazon Linux 2 : java-1.7.0-openjdk (ALAS-2018-1064)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Concurrency. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2018-1064)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Concurrency. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this...

Medium: httpd

Issue Overview: By specially crafting HTTP requests, the modmd challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.33. CVE-2018-8011 Affected Packages: httpd Note: This...

Important: openslp

Issue Overview: A use-after-free flaw in OpenSLP 1.x and 2.x baselines was discovered in the ProcessSrvRqst function. A failure to update a local pointer may lead to heap corruption. A remote attacker may be able to leverage this flaw to gain remote code execution.CVE-2017-17833 Affected Packages...

Critical: thunderbird

Issue Overview: Use-after-free when appending DOM nodes CVE-2018-12363 Use-after-free using focus CVE-2018-12360 Compromised IPC child process can list local filenames CVE-2018-12365 Buffer overflow using computed size of canvas element CVE-2018-12359 Using form to exfiltrate encrypted mail part ...

Amazon Linux 2 : kernel (ALAS-2018-1058) (Foreshadow)

Fixes for L1Terminal Fault security issues : L1 Terminal Fault-OS/ SMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page...

Amazon Linux AMI : kernel (ALAS-2018-1058) (Foreshadow)

Fixes for L1Terminal Fault security issues : L1 Terminal Fault-OS/ SMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page...

Amazon Linux AMI : tomcat7 / tomcat80 (ALAS-2018-1055)

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore,...

Critical: kernel

Issue Overview: Fixes for L1Terminal Fault security issues: L1 Terminal Fault-OS/ SMM: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a...

Amazon Linux AMI : tomcat8 (ALAS-2018-1056)

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore,...

Amazon Linux AMI : yum-utils (ALAS-2018-1057)

A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path...

Amazon Linux 2 : ncurses (ALAS-2018-1053)

A NULL pointer dereference was found in the way the ncparseentry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it.CVE-2018-10754 C Tenable Network Security, Inc. The descriptive text...

Amazon Linux 2 : gnupg2 (ALAS-2018-1045)

A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could ha...

Amazon Linux 2 : curl (ALAS-2018-1052)

A heap-based buffer overflow has been found in the Curlsmtpescapeeob function of curl. An attacker could exploit this by convincing a user to use curl to upload data over SMTP with a reduced buffer to cause a crash or corrupt memory.CVE-2018-0500 C Tenable Network Security, Inc. The descriptive...

Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2018-1054)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Concurrency. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this...

Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2018-1054)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Concurrency. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this...

Medium: curl

Issue Overview: A heap-based buffer overflow has been found in the Curlsmtpescapeeob function of curl. An attacker could exploit this by convincing a user to use curl to upload data over SMTP with a reduced buffer to cause a crash or corrupt memory.CVE-2018-0500 Affected Packages: curl Note: This...

Medium: java-1.8.0-openjdk

Issue Overview: Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Concurrency. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful...