Amazon Linux AMI : nss (ALAS-2013-217)

It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding...

Amazon Linux AMI : libgcrypt (ALAS-2013-226)

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. C Tenable Network Security, Inc. The descriptive text and package checks in...

Amazon Linux AMI : rubygems (ALAS-2013-230)

Algorithmic complexity vulnerability in Gem::Version::VERSIONPATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service CPU...

Amazon Linux AMI : gnupg (ALAS-2013-225)

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. C Tenable Network Security, Inc. The descriptive text and package checks in...

Amazon Linux AMI : php54 (ALAS-2013-224)

Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. The opensslx509parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0'...

Amazon Linux AMI : haproxy (ALAS-2013-215)

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdrip or other 'hdr' functions with a negative occurrence count, allows remote attackers to cause a denial of service negative array index usage and crash via an HTTP header with a certain number of values, related to the...

Amazon Linux AMI : nagios (ALAS-2013-227)

nagios.upgradetov3.sh allows local users to overwrite arbitrary files via a symlink attack on a temporary nagioscfg file with a predictable name in /tmp/. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory...

Amazon Linux AMI : 389-ds-base (ALAS-2013-223)

ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service server crash via a crafted Distinguished Name DN in a MOD operation request. 389 Directory Server does not properly restrict access to entity attributes, which allows remote authenticated users to...

Amazon Linux AMI : nspr (ALAS-2013-216)

It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding...

Amazon Linux AMI : kernel (ALAS-2013-228)

The ipv6createtempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service excessive retries and address-generation outage, and consequently...

Amazon Linux AMI : bind (ALAS-2013-214)

A denial of service flaw was found in BIND. A remote attacker could use this flaw to send a specially crafted DNS query to named that, when processed, would cause named to crash when rejecting the malformed query. CVE-2013-4854 C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux AMI : puppet (ALAS-2013-219)

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resourcetype service. NOTE: this vulnerability can only be exploited...

Amazon Linux AMI : cacti (ALAS-2013-222)

1 snmp.php and 2 rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. Multiple SQL injection vulnerabilities in 1 apipoller.php and 2 utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL...

Amazon Linux AMI : python27 (ALAS-2013-220)

The ssl.matchhostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate...

Amazon Linux AMI : ruby19 (ALAS-2013-229)

1 DL and 2 Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions. C Tenable Network Security, Inc. The descriptive text and packa...

Amazon Linux AMI : openssl (ALAS-2013-171)

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a paddi...

Amazon Linux AMI : libxml2 (ALAS-2013-188)

libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service CPU and memory consumption via an XML file containing an entity declaration with long replacement text and many references to this entity, aka 'internal entity expansion' with linear complexity. C Tenable...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-183)

Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. CVE-2013-1569 , CVE-2013-2383 , CVE-2013-2384 Multiple improper permission check issues were...

Amazon Linux AMI : libvorbis (ALAS-2012-47)

A heap-based buffer overflow flaw was found in the way the libvorbis library parsed Ogg Vorbis media files. If a specially crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges o...

Amazon Linux AMI : nginx (ALAS-2011-30)

Heap-based buffer overflow in compression-pointer processing in core/ngxresolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service daemon crash or possibly have unspecified other impact via a long response. C Tenable Network Security, Inc. The descriptive text and...