Amazon Linux AMI : iproute (ALAS-2012-64)

iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by 1 configure or 2 examples/dhcp-client-script. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Securit...

Amazon Linux AMI : jasper (ALAS-2011-29)

Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer such as Nautilus to crash or, potentially, execute arbitrary...

Amazon Linux AMI : libxml2 (ALAS-2013-188)

libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service CPU and memory consumption via an XML file containing an entity declaration with long replacement text and many references to this entity, aka 'internal entity expansion' with linear complexity. C Tenable...

Amazon Linux AMI : postgresql8 (ALAS-2012-82)

The pgdump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by a SQL command. This SQL command might then be executed by a privileged user during later restore of the...

Amazon Linux AMI : lighttpd (ALAS-2012-107)

Integer signedness error in the base64decode function in the HTTP authentication functionality httpauth.c in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service segmentation fault via crafted base64 input that triggers an out-of-bounds...

Amazon Linux AMI : perl-YAML-LibYAML (ALAS-2012-69)

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML aka YAML-LibYAML and perl-YAML-LibYAML module 0.38 for Perl allow remote attackers to cause a denial of service process crash via format string specifiers in a 1 YAML stream to the Load function, 2 YA...

Amazon Linux AMI : bind (ALAS-2011-24)

A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion. C Tenable Network Security,...

Amazon Linux AMI : kernel (ALAS-2012-83)

It was found that the datalen parameter of the sockallocsendpskb function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note...

Amazon Linux AMI : postgresql8 (ALAS-2012-129)

It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations XSLT. An unprivileged database user could use this flaw to read and...

Amazon Linux AMI : mysql51 (ALAS-2013-152)

This update fixes several vulnerabilities in the MySQL database server. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amazon Linux AMI Security Advisory ALAS-2013-152. include"compat.inc"; if description scriptid69711;...

Amazon Linux AMI : libpng (ALAS-2012-49)

A heap-based buffer overflow flaw was found in libpng. An attacker could create a specially crafted PNG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. CVE-2011-3026 C Tenable...

Amazon Linux AMI : pam (ALAS-2013-160)

A stack-based buffer overflow flaw was found in the way the pamenv module parsed users' '/.pamenvironment' files. If an application's PAM configuration contained 'userreadenv=1' this is not the default, a local attacker could use this flaw to crash the application or, possibly, escalate their...

Amazon Linux AMI : kernel (ALAS-2012-58)

The ExecShield feature does not properly handle use of many shared libraries by a 32-bit executable file, which makes it easier for context-dependent attackers to bypass the ASLR protection mechanism by leveraging a predictable base address for one of these libraries. C Tenable Network Security,...

Amazon Linux AMI : php (ALAS-2012-116)

Unspecified vulnerability in the phpstreamscandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an 'overflow.' C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...

Amazon Linux AMI : freetype (ALAS-2013-150)

A flaw was found in the way the FreeType font rendering engine processed certain Glyph Bitmap Distribution Format BDF fonts. If a user loaded a specially crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code wit...

Amazon Linux AMI : socat (ALAS-2013-202)

socat 1.2.0.0 before 1.7.2.2 and 2.0.0-b1 before 2.0.0-b6, when used for a listen type address and the fork option is enabled, allows remote attackers to cause a denial of service file descriptor consumption via multiple request that are refused based on the 1 sourceport, 2 lowport, 3 range, or 4...

Amazon Linux AMI : openjpeg (ALAS-2012-111)

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially crafted image file that, when decoded using an application linked against OpenJPEG, would cause th...

Amazon Linux AMI : icu (ALAS-2012-33)

A stack-based buffer overflow flaw was found in the way ICU performed variant canonicalization for some locale identifiers. If a specially crafted locale representation was opened in an application linked against ICU, it could cause the application to crash or, possibly, execute arbitrary code wi...

Amazon Linux AMI : fail2ban (ALAS-2013-209)

The apache-auth.conf, apache-nohome.conf, apache-noscript.conf, and apache-overflows.conf files in Fail2ban before 0.8.10 do not properly validate log messages, which allows remote attackers to block arbitrary IP addresses via certain messages in a request. C Tenable Network Security, Inc. The...

Amazon Linux AMI : bind (ALAS-2012-84)

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory...