Amazon Linux AMI : mod_dav_svn / subversion (ALAS-2015-555)

A NULL pointer dereference flaw was found in the way the moddavsvn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing moddavsvn to crash...

Amazon Linux AMI : libtiff (ALAS-2015-553)

Use of uninitialized memory was reported in in libtiff. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2015-553. include"compat.inc"; if description scriptid84370; scriptversion"2.4";...

Amazon Linux AMI : python27 (ALAS-2015-552)

It was discovered that multiple Python standard library modules implementing network protocols such as httplib or smtplib failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.CVE-2013-1752 ...

Amazon Linux AMI : t1utils (ALAS-2015-554)

A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB Printer Font Binary files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils. C Tenable Network Security, Inc. T...

Amazon Linux AMI : curl (ALAS-2015-551)

As discussed upstream, libcurl can wrongly send HTTP credentials when re-using connections. CVE-2015-3236 Also discussed upstream, libcurl can get tricked by a malicious SMB server to send off data it did not intend to. CVE-2015-3237 C Tenable Network Security, Inc. The descriptive text and packa...

Amazon Linux AMI : ruby22 (ALAS-2015-549)

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record rubygems.tcp under the original requested domain. RubyGems did not validate the hostname returned in...

Amazon Linux AMI : postgresql93 (ALAS-2015-546)

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service crash by closing an SSL session at a time when the authentication timeout will expire during the session...

Amazon Linux AMI : postgresql92 (ALAS-2015-545)

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service crash by closing an SSL session at a time when the authentication timeout will expire during the session...

Amazon Linux AMI : kernel (ALAS-2015-544)

A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capnglock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid system call, among others, also sets the...

Amazon Linux AMI : e2fsprogs (ALAS-2015-542)

A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library for example, fsck to crash or, possibly, execute arbitrary code. C Tenable Network Security, Inc. The descriptive text and package checks in this...

Amazon Linux AMI : ruby21 (ALAS-2015-548)

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record rubygems.tcp under the original requested domain. RubyGems did not validate the hostname returned in...

Amazon Linux AMI : ruby20 (ALAS-2015-547)

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record rubygems.tcp under the original requested domain. RubyGems did not validate the hostname returned in...

Amazon Linux AMI : libcap-ng (ALAS-2015-543)

A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capnglock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid system call, among others, also sets the...

Amazon Linux AMI : openssl (ALAS-2015-550) (Logjam)

LOGJAM: A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange for both export and non-export grade cipher suites. An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This...

Amazon Linux AMI : libjpeg-turbo (ALAS-2015-540)

A flaw in libjpeg-turbo was reported that could lead to a local denial of service when processing a specially crafted JPEG issue. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2015-540...

Amazon Linux AMI : python-pip (ALAS-2015-541)

A flaw was found in the way python-requests set the domain cookie parameter for certain HTTP responses. A remote attacker could use this flaw to modify a cookie to be sent to an arbitrary URL. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted...

Amazon Linux AMI : php55 (ALAS-2015-535)

An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. CVE-2015-4021 An integer overflow flaw leading to a heap based...

Amazon Linux AMI : clamav (ALAS-2015-537)

ClamAV before 0.98.7 allows remote attackers to cause a denial of service infinite loop via a crafted y0da cryptor file. CVE-2015-2221 ClamAV before 0.98.7 allows remote attackers to cause a denial of service infinite loop via a crafted xz archive file. CVE-2015-2668 ClamAV before 0.98.7 allows...

Amazon Linux AMI : php54 (ALAS-2015-534)

An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. CVE-2015-4021 An integer overflow flaw leading to a heap based...

Amazon Linux AMI : php56 (ALAS-2015-536)

An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. CVE-2015-4021 An integer overflow flaw leading to a heap based...