Amazon Linux AMI : dhcp (ALAS-2013-157)

A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. If dhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewal requests for previously assigned leases could cause dhcpd to crash. CVE-2012-3955 C Tenable Network Security, Inc. The...

Amazon Linux AMI : gnutls (ALAS-2013-197)

It was discovered that the fix for the CVE-2013-1619 issue introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS. CVE-2013-2116 C...

Amazon Linux AMI : cvs (ALAS-2012-51)

A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. CVE-2012-0804 C Tenab...

Amazon Linux AMI : kernel (ALAS-2012-122)

The Netlink implementation in the Linux kernel before 3.2.30 does not properly handle messages that lack SCMCREDENTIALS data, which might allow local users to spoof Netlink communication via a crafted message, as demonstrated by a message to 1 Avahi or 2 NetworkManager. C Tenable Network Security...

Amazon Linux AMI : kernel (ALAS-2012-83)

It was found that the datalen parameter of the sockallocsendpskb function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note...

Amazon Linux AMI : cups (ALAS-2013-170)

It was discovered that CUPS administrative users members of the SystemGroups groups who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the...

Amazon Linux AMI : mysql (ALAS-2012-44)

This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. CVE-2011-2262 , CVE-2012-0075 , CVE-2012-0087 , CVE-2012-0101 , CVE-2012-0102 , CVE-2012-0112 ,...

Amazon Linux AMI : curl (ALAS-2013-210)

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. C Tenable Network Security, Inc. The descriptive text and package checks ...

Amazon Linux AMI : socat (ALAS-2012-87)

Heap-based buffer overflow in the xioscanreadline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address. C Tenable Network Security, Inc. The descriptive text and package checks in this plugi...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-207)

Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. CVE-2013-2470 , CVE-2013-2471 ,...

Amazon Linux AMI : cyrus-impad (ALAS-2011-02)

The MITRE CVE database describes CVE-2011-3208 as : A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user. ...

Amazon Linux AMI : ruby (ALAS-2012-35)

Ruby aka CRuby before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted input to an application that maintains a hash table. C Tenable Network...

Amazon Linux AMI : freetype (ALAS-2011-20)

Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running...

Amazon Linux AMI : freetype (ALAS-2011-08)

The MITRE CVE database describes CVE-2011-3256 as : FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service memory corruption via a crafted fon...

Amazon Linux AMI : libtiff (ALAS-2012-65)

Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially crafted TIFF file that, when opened, would cause an application linked against...

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-183)

Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. CVE-2013-1569 , CVE-2013-2383 , CVE-2013-2384 Multiple improper permission check issues were...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-167)

An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. CVE-2013-0809 It was...

Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2013-169)

The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for...

Amazon Linux AMI : nginx (ALAS-2011-30)

Heap-based buffer overflow in compression-pointer processing in core/ngxresolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service daemon crash or possibly have unspecified other impact via a long response. C Tenable Network Security, Inc. The descriptive text and...

Amazon Linux AMI : cacti (ALAS-2011-23)

The release notes for Cacti 0.8.7h indicate that two security vulnerabilities were fixed, though no corresponding CVE has been issued. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2011-23...