Amazon Linux AMI : glibc (ALAS-2014-400)

A directory traversal flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value for example, specified in an LC environment variable could possibly use this flaw to execute arbitrary code with the privileges of that...

Amazon Linux AMI : httpd24 (ALAS-2014-389)

A race condition flaw, leading to heap-based buffer overflows, was found in the modstatus httpd module. A remote attacker able to access a status page served by modstatus on a server using a threaded Multi-Processing Module MPM could send a specially crafted request that would cause the httpd chi...

Amazon Linux AMI : libxml2 (ALAS-2014-340)

parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service out-of-bounds read via a document that ends abruptly, related to the lack of certain checks for the XMLPARSEREOF state. C Tenable Network Securit...

Amazon Linux AMI : php55 (ALAS-2014-362)

The cdfunpacksummaryinfo function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service performance degradation by triggering many fileprintf calls. The cdfreadpropertyinfo function in cdf.c in the Fileinfo component i...

Amazon Linux AMI : lzo (ALAS-2014-373)

An integer overflow flaw was found in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash o...

Amazon Linux AMI : openssl (ALAS-2014-349)

It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. CVE-2014-0224 Note: In order to...

Amazon Linux AMI : libxcb (ALAS-2014-405)

Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the readpacket function. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon...

Amazon Linux AMI : chkrootkit (ALAS-2014-370)

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges. C Tenable Network Security, Inc. The...

Amazon Linux AMI : file (ALAS-2014-398)

Integer overflow in the cdfreadpropertyinfo function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service application crash via a crafted CDF file. NOTE: this vulnerability exists becaus...

Amazon Linux AMI : cyrus-sasl (ALAS-2014-338)

Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service thread crash and consumption via 1 an invalid salt or, when FIPS-140...

Amazon Linux AMI : procmail (ALAS-2014-408)

A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail. CVE-2014-3618 C Tenable...

Amazon Linux AMI : cacti (ALAS-2014-381)

Multiple cross-site scripting XSS vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the 1 drpaction parameter to cdef.php, 2 datainput.php, 3 dataqueries.php, 4 datasources.php, 5 datatemplates.php, 6 graphtemplates.php, 7 graphs.php, 8 host.php, or...

Amazon Linux AMI : axis (ALAS-2014-412)

It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name CN field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. CVE-2014-3596 C Tenable Network Security, Inc. The...

Amazon Linux AMI : nss-softokn (ALAS-2014-423)

A flaw was found in the way NSS parsed ASN.1 Abstract Syntax Notation One input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. C Tenable Network Security, Inc. The descriptive tex...

Amazon Linux AMI : php55 (ALAS-2014-372)

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. A denial of service flaw was found in the way the File Information fileinfo extension parsed certain Composite Document...

Amazon Linux AMI : gnupg2 (ALAS-2014-379)

The douncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service infinite loop via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. C Tenable Network Security, Inc. The...

Amazon Linux AMI : fwsnort (ALAS-2014-409)

Untrusted search path vulnerability in fwsnort before 1.6.4, when not running as root, allows local users to execute arbitrary code via a Trojan horse fwsnort.conf in the current working directory. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

Amazon Linux AMI : php55 (ALAS-2014-415)

A denial of service flaw was found in the way the File Information fileinfo extension parsed certain Composite Document Format CDF files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. gdctx.c in the GD component in PHP 5.4.x befo...

Amazon Linux AMI : ca-certificates (ALAS-2011-3)

This package contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet Public Key Infrastructure PKI. It was found that a Certificate Authority CA issued fraudulent HTTPS certificates. This update removes that CA's root certificate from the ca-certificates...

Amazon Linux AMI : php55 (ALAS-2014-342)

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service CPU consumption via a crafted ASCII file that triggers a large amount of...