Amazon Linux AMI : php70 (ALAS-2016-754)

ext/mysqlnd/mysqlndwireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNEDFLAG flag, which allows remote MySQL servers to cause a denial of service heap-based buffer overflow or possibly have unspecified other impact via crafted field metadata...

Amazon Linux AMI : GraphicsMagick (ALAS-2016-752)

A possible heap overflow was discovered in the EscapeParenthesis function CVE-2016-7447. Various issues were found in the processing of SVG files in GraphicsMagick CVE-2016-7446. The TIFF reader had a bug pertaining to use of TIFFGetField when a 'count' value is returned. The bug caused a heap re...

Amazon Linux AMI : bind (ALAS-2016-751)

A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. C Tenable Network Security, Inc. The...

Amazon Linux AMI : libarchive (ALAS-2016-743)

A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. CVE-2016-5418 Multiple...

Amazon Linux AMI : openvpn (ALAS-2016-750) (SWEET32)

Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to a birthday attack when key renegotiation doesn't happen frequently or at all in long running connections. The blowfish cipher as used in OpenVPN by default is vulnerable to this attack, allowing a remote attacker to...

Amazon Linux AMI : curl (ALAS-2016-742)

After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS Network Security Services still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. C Tenable...

Amazon Linux AMI : openssl (ALAS-2016-749)

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it...

Amazon Linux AMI : libgcrypt / gnupg (ALAS-2016-744)

A design flaw was found in the libgcrypt PRNG Pseudo-Random Number Generator. An attacker who can obtain the first 580 bytes of the PRNG output can trivially predict the following 20 bytes. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

Amazon Linux AMI : postgresql92 / postgresql93,postgresql94 (ALAS-2016-747)

A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2016-748)

An insufficient bytecode verification flaw was discovered in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to completely bypass Java sandbox restrictions. CVE-2016-3606 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A...

Amazon Linux AMI : lighttpd (ALAS-2016-746)

It was discovered that lighttpd class did not properly protect against the HTTPPROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. C Tenable...

Amazon Linux AMI : bind (ALAS-2016-745)

It was found that the lightweight resolver could crash due to an error when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the 'lwres' statement in...

Amazon Linux AMI : collectd (ALAS-2016-739)

A heap-based buffer overflow in the parsepacket function in network.c in collectd allows remote attackers to cause a denial of service daemon crash or possibly execute arbitrary code via a crafted network packet. C Tenable Network Security, Inc. The descriptive text and package checks in this...

Amazon Linux AMI : kernel (ALAS-2016-740)

A use after free vulnerability was found in tcpxmitretransmitqueue and other tcp functions. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2016-740. include'compat.inc'; if description...

Amazon Linux AMI : python34 / python27,python26 (ALAS-2016-741) (httpoxy)

It was discovered that the Python CGIHandler class did not properly protect against the HTTPPROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP...

Amazon Linux AMI : tomcat7 / tomcat8 (ALAS-2016-736)

A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer 4096 bytes used to read the uploaded file if the boundary was the typical tens of bytes long. C Tenable Network Security, Inc. The...

Amazon Linux AMI : mysql56 (ALAS-2016-737)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. CVE-2016-5440 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related t...

Amazon Linux AMI : curl (ALAS-2016-730)

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVE-2016-5419 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS...

Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)

An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTPPROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTPPROXY' is used by numerous web clients, including Go's net/http package,...

Amazon Linux AMI : compat-libtiff3 (ALAS-2016-734)

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. CVE-2014-9655 , CVE-2015-1547 ,...