Amazon Linux AMI : mysql51 (ALAS-2017-800)

It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server...

Amazon Linux AMI : tomcat7 / tomcat8 (ALAS-2017-796)

A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information...

Amazon Linux AMI : openldap (ALAS-2017-799)

A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings. As a result, OpenLDAP could potentially use ciphers that were not intended to be enabled. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security...

Amazon Linux AMI : bind (ALAS-2017-798)

A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. C Tenable Network Security, Inc. The...

Amazon Linux AMI : glibc (ALAS-2017-792)

A stack overflow vulnerability was found in nssdnsgetnetbynamer. On systems with nsswitch configured to include 'networks: dns' with a privileged or network-facing service that would attempt to resolve user-provided network names, an attacker could provide an excessively long network name,...

Amazon Linux AMI : krb5 (ALAS-2017-793)

A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modifyprincipal command, if kadmin...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2017-795)

It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine's memory and completely bypass Java sandbox restrictions. CVE-2016-558...

Amazon Linux AMI : subversion / mod_dav_svn (ALAS-2017-794)

It was discovered that Subversion's moddontdothat module and Subversion clients using https:// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. An authenticated remote attacker can cause denial-of-service conditions on the server using moddontdothat by...

Amazon Linux AMI : php70 (ALAS-2017-788)

The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service uninitialized memory access via crafted serialized data. CVE-2016-7480...

Amazon Linux AMI : mysql56 (ALAS-2017-790)

The following security-related issues were fixed : CVE-2016-8318 Server: Security: Encryption unspecified vulnerability CVE-2016-8327 Server: Replication unspecified vulnerability CVE-2017-3238 Server: Optimizer unspecified vulnerability CVE-2017-3244 Server: DML unspecified vulnerability...

Amazon Linux AMI : php56 (ALAS-2017-787)

A vulnerability was found in gd. Integer underflow in a calculation in dynamicGetbuf was incorrectly handled, leading in some circumstances to an out of bounds write through a very large argument to memcpy. An attacker could create a crafted image that would lead to a crash or, potentially, code...

Amazon Linux AMI : mysql55 (ALAS-2017-789)

The following security-related issues were fixed : CVE-2017-3238 Server: Optimizer unspecified vulnerability CVE-2017-3243 Server: Charsets unspecified vulnerability CVE-2017-3244 Server: DML unspecified vulnerability CVE-2017-3258 Server: DDL unspecified vulnerability CVE-2017-3313 Server: MyISA...

Amazon Linux AMI : httpd24 (ALAS-2017-785)

The following security-related issues were fixed : Padding oracle vulnerability in Apache modsessioncrypto CVE-2016-0736 DoS vulnerability in modauthdigest CVE-2016-2161 Apache HTTP request parsing whitespace defects CVE-2016-8743 C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux AMI : kernel (ALAS-2017-786)

The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNELDS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service use-after-free by leveraging access to a /dev/sg device,...

Amazon Linux AMI : ghostscript (ALAS-2017-784)

It was found that the ghostscript functions getenv, filenameforall and .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable, list directory and retrie...

Amazon Linux AMI : docker (ALAS-2017-783)

It was discovered that runC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization, which can lead to...

Amazon Linux AMI : ntp (ALAS-2017-781)

The following security-related issues were resolved : CVE-2016-7426 : Client rate limiting and server responses CVE-2016-7429 : Attack on interface selection CVE-2016-7433 : Broken initial sync calculations regression CVE-2016-9310 : Mode 6 unauthenticated trap information disclosure and DDoS...

Amazon Linux AMI : sudo (ALAS-2017-780)

It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system or popen C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could use this flaw to execute...

Amazon Linux AMI : vim (ALAS-2016-779)

A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user running vim. modelines are disabled by default for root, and enabled by defau...

Amazon Linux AMI : nss-util / nss,nss-softokn (ALAS-2016-774)

CVE-2016-2834 nss: Multiple security flaws MFSA 2016-61 Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the...