Amazon Linux AMI : xorg-x11-server (ALAS-2015-470)

Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially...

Amazon Linux AMI : openssl (ALAS-2015-469) (FREAK)

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake bod...

Amazon Linux AMI : php55 (ALAS-2015-464)

Use-after-free vulnerability in the processnesteddata function in ext/standard/varunserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys...

Amazon Linux AMI : jasper (ALAS-2015-466)

Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. CVE-2014-9029 A heap-based buffer overflow flaw was found ...

Amazon Linux AMI : php54 (ALAS-2015-463)

Use-after-free vulnerability in the processnesteddata function in ext/standard/varunserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys...

Amazon Linux AMI : mailx (ALAS-2015-467)

A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality. CVE-2004-2771 , CVE-2014-7844...

Amazon Linux AMI : glibc (ALAS-2015-468)

An out-of-bounds read flaw was found in the way glibc's iconv function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv function with a specially crafted argument could use this flaw to crash that application. CVE-2014-6040 It was found that the...

Amazon Linux AMI : bind (ALAS-2015-465)

A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash. CVE-2014-8500 C Tenable...

Amazon Linux AMI : ntp (ALAS-2014-462)

It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc...

Amazon Linux AMI : docker (ALAS-2014-461)

Path traversal attacks are possible in the processing of absolute symlinks. In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via both archive extraction and through...

Amazon Linux AMI : openvpn (ALAS-2014-459)

OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service server crash via a small control channel packet. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

Amazon Linux AMI : php-ZendFramework (ALAS-2014-460)

The 1 ZendLdap class in Zend before 1.12.9 and 2 Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. CVE-2014-8088 The 1.12.9, 2.2.8, and 2.3.3 releas...

Amazon Linux AMI : rpm (ALAS-2014-458)

It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during...

Amazon Linux AMI : clamav (ALAS-2014-457)

clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service crash as demonstrated by the jwplayer.js file. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisor...

Amazon Linux AMI : kernel (ALAS-2014-455)

The sctpprocessparam function in net/sctp/smmakechunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service NULL pointer dereference and system crash via a malformed INIT chunk. CVE-2014-7841 The pivotroot...

Amazon Linux AMI : php54 (ALAS-2014-450)

An out-of-bounds read flaw was found in the way the File Information fileinfo extension parsed Executable and Linkable Format ELF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. C Tenable Network Security, Inc. The descripti...

Amazon Linux AMI : php55 (ALAS-2014-451)

An out-of-bounds read flaw was found in the way the File Information fileinfo extension parsed Executable and Linkable Format ELF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. C Tenable Network Security, Inc. The descripti...

Amazon Linux AMI : file (ALAS-2014-453)

An out-of-bounds read flaw was found in the way the File Information fileinfo extension parsed Executable and Linkable Format ELF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. C Tenable Network Security, Inc. The descripti...

Amazon Linux AMI : docker (ALAS-2014-454)

Docker versions 1.3.0 through 1.3.1 allowed security options to be applied to images, allowing images to modify the default run profile of containers executing these images. This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container's processes,...

Amazon Linux AMI : libX11 / libXcursor,libXfixes,libXi,libXrandr,libXrender,libXres,libXt,libXv,libXvMC,libXxf86dga,libXxf86vm,libdmx,xorg-x11-proto-devel (ALAS-2014-452)

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially...