Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-151)

Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from...

Amazon Linux AMI : bind (ALAS-2012-113)

An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure. CVE-2012-3817 C Tenable...

Amazon Linux AMI : php (ALAS-2012-37)

It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by...

Amazon Linux AMI : dhcp (ALAS-2012-31)

A denial of service flaw was found in the way the dhcpd daemon handled DHCP request packets when regular expression matching was used in '/etc/dhcp/dhcpd.conf'. A remote attacker could use this flaw to crash dhcpd. CVE-2011-4539 C Tenable Network Security, Inc. The descriptive text and package...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-163)

An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. CVE-2013-1486 It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted...

Amazon Linux AMI : cyrus-imapd (ALAS-2011-27)

An authentication bypass flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to read or post newsgroup messages on an NNTP server configured to require user authentication, without providing valid authentication credentials...

Amazon Linux AMI : mysql55 (ALAS-2012-144)

A stack-based buffer overflow flaw was found in the user permission checking code in MySQL. An authenticated database user could use this flaw to crash the mysqld daemon or, potentially, execute arbitrary code with the privileges of the user running the mysqld daemon. CVE-2012-5611 C Tenable...

Amazon Linux AMI : puppet (ALAS-2011-11)

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files. Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users ...

Amazon Linux AMI : jasper (ALAS-2011-29)

Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer such as Nautilus to crash or, potentially, execute arbitrary...

Amazon Linux AMI : perl-YAML-LibYAML (ALAS-2012-69)

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML aka YAML-LibYAML and perl-YAML-LibYAML module 0.38 for Perl allow remote attackers to cause a denial of service process crash via format string specifiers in a 1 YAML stream to the Load function, 2 YA...

Amazon Linux AMI : python26 (ALAS-2012-98)

A denial of service flaw was found in the implementation of associative arrays dictionaries in Python. An attacker able to supply a large number of inputs to a Python application such as HTTP POST request parameters sent to a web application that are used as keys when inserting data into an array...

Amazon Linux AMI : axis (ALAS-2013-164)

Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. CVE-2012-57...

Amazon Linux AMI : php54 (ALAS-2013-212)

A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xmlparseintostruct function to parse untrusted XML content, an attacker able to supply specially crafted XML could use this flaw to crash the application or, possibly, execute arbitra...

Amazon Linux AMI : puppet (ALAS-2013-213)

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. C Tenable Network Security, Inc. The descriptive text and...

Amazon Linux AMI : nss (ALAS-2012-102)

It was found that a Certificate Authority CA issued a subordinate CA certificate to its customer, that could be used to issue certificates for any name. This update renders the subordinate CA certificate as untrusted. C Tenable Network Security, Inc. The descriptive text and package checks in thi...

Amazon Linux AMI : php (ALAS-2012-95)

Integer overflow in the pharparsetarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service application crash or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow...

Amazon Linux AMI : tomcat7 (ALAS-2013-191)

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other application...

Amazon Linux AMI : perl-libwww-perl (ALAS-2011-17)

The Net::HTTPS module in libwww-perl LWP before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof...

Amazon Linux AMI : dbus (ALAS-2012-128)

It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the...

Amazon Linux AMI : perl-DBD-Pg (ALAS-2012-112)

Two format string flaws were found in perl-DBD-Pg. A specially crafted database warning or error message from a server could cause an application using perl-DBD-Pg to crash or, potentially, execute arbitrary code with the privileges of the user running the application. CVE-2012-1151 C Tenable...