Amazon Linux AMI : curl (ALAS-2016-730)

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVE-2016-5419 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS...

Amazon Linux AMI : mysql56 (ALAS-2016-737)

Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. CVE-2016-5440 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier allows remote administrators to affect availability via vectors related t...

Amazon Linux AMI : libtiff (ALAS-2016-733)

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. CVE-2014-9655 , CVE-2015-1547 ,...

Amazon Linux AMI : ntp (ALAS-2016-727)

It was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server's replies. CVE-2015-8139 The processpacket function in ntpproto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-729)

Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2016-3606 , CVE-2016-3598 , CVE-2016-3610 Multiple denial of service flaws were found in the JAXP...

Amazon Linux AMI : kernel (ALAS-2016-726)

It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL. CVE-2016-1237 A flaw was found in the Linux kernel's keyring handling code, where in keyrejectandlink an uninitialised variable would...

Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy)

A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. CVE-2015-8874 An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2 function of PHP's gd extension. A remote attacke...

Amazon Linux AMI : python26 / python27,python34 (ALAS-2016-724)

It was found that Python's httplib library used urllib, urllib2 and others did not properly check HTTP header input in HTTPConnection.putheader. An attacker could use this flow to inject additional headers in a Python application that allows user provided header name or values. CVE-2016-5699 It w...

Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)

Tomcat's CGI support used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibl...

Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-723)

Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2016-3606 , CVE-2016-3587 , CVE-2016-3598 , CVE-2016-3610 Multiple denial of service flaws were foun...

Amazon Linux AMI : httpd24 / httpd (ALAS-2016-725) (httpoxy)

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...

Amazon Linux AMI : wget (ALAS-2016-720)

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. CVE-2016-4971 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory...

Amazon Linux AMI : varnish (ALAS-2016-721)

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r carriage return character in conjunction with multiple Content-Length headers in an HTTP...

Amazon Linux AMI : libxml2 (ALAS-2016-719)

A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or execute arbitrary code with the...

Amazon Linux AMI : kernel (ALAS-2016-718)

A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitary kernel memory when unloading a kernel module. This action is usually restricted to root-priveledged users but can also be leveraged if the kernel is compiled wit...

Amazon Linux AMI : ImageMagick (ALAS-2016-716)

It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to...

Amazon Linux AMI : GraphicsMagick (ALAS-2016-717)

It was discovered that GraphicsMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using GraphicsMagick or an unsuspecting user using the GraphicsMagick utilities, would...

Amazon Linux AMI : squid (ALAS-2016-713)

A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. CVE-2016-4051 Buffer overflow and input validation flaws were found ...

Amazon Linux AMI : nginx (ALAS-2016-715)

A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file. C Tenable Network Security, Inc. The...

Amazon Linux AMI : mod24_nss (ALAS-2016-714)

It was reported that +CIPHER operator in OpenSSL changes the order of a cipher. Instead of returning an error as NSS does not support cipher ordering, it returned the result of processing up to that point, which could result in requested ciphers not being enabled. C Tenable Network Security, Inc...