Medium: xerces-j2

Issue Overview: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service CPU consumption via a crafted message to an XML service, which triggers hash table collisions. CVE-2012-0881 There's a vulnerability within the Apache Xerces Java XercesJ XML parser when...

Medium: libtiff

Issue Overview: libtiff: NULL pointer dereference in tifdirinfo.c CVE-2024-7006 Affected Packages: libtiff Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum updat...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: use timestamp to check for set element timeout CVE-2024-27397 In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name CVE-2024-3949...

Important: microcode_ctl

Issue Overview: Improper isolation in some IntelR Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-49141 Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user t...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize CVE-2024-35807 Affected Packages: kernel Issue Correction: Run dnf update kernel --releasever 2023.5.20240916 to update your system. New Packages: aarch64: ...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error CVE-2024-41098 In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcmsendmsg for the same socket. CVE-2024-44946 In the Linux...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error CVE-2024-41098 In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcmsendmsg for the same socket. CVE-2024-44946 In the Linux...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize CVE-2024-35807 Affected Packages: kernel Issue Correction: Run dnf update kernel --releasever 2023.5.20240916 or dnf update --advisory ALAS2023-2024-715 --releasever...

Important: microcode_ctl

Issue Overview: Improper isolation in some IntelR Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-49141 Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user t...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: enhanced error handling for tightly received RTS messages in xtprxrtssessionnew CVE-2023-52887 In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: use timestam...

Low: systemd

Issue Overview: An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the findin...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error CVE-2024-41098 In the Linux kernel, the following vulnerability has been resolved: ethtool: check device is present when getting link settings CVE-2024-46679...

Medium: ruby

Issue Overview: ruby: RCE vulnerability with .rdocoptions in RDoc CVE-2024-27281 Affected Packages: ruby Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update...

Low: systemd

Issue Overview: An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the findin...

Important: firefox

Issue Overview: Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. This vulnerability affects Firefox 129, Firefox ESR 115.14, Firefox ESR 128.1, Thunderbird 128.1, and Thunderbird...

Important: kernel-livepatch-5.10.220-209.867

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error CVE-2024-41087 Affected Packages: kernel-livepatch-5.10.220-209.867 Issue Correction: Please ensure you have live patching enabled. Run yum update...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize CVE-2024-35807 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.15 Extra. Visit this page to learn more about Amazon Linux 2 AL2...

Important: kernel

Issue Overview: A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcpgetsockopt/tcpsetsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier...

Important: microcode_ctl

Issue Overview: Improper isolation in some IntelR Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-49141 Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user t...

Important: microcode_ctl

Issue Overview: Improper isolation in some IntelR Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-49141 Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user t...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: xen/events: close evtchn after mapping cleanup CVE-2024-26687 In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize CVE-2024-35807 Affected Packages: kernel...

Medium: ruby

Issue Overview: A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of...

Medium: ruby

Issue Overview: A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of...

Medium: ruby

Issue Overview: ruby: RCE vulnerability with .rdocoptions in RDoc CVE-2024-27281 Affected Packages: ruby Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: Run yum update...

Medium: openssl-snapsafe

Issue Overview: Issue summary: Calling the OpenSSL API function SSLselectnextproto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected applicati...

Important: firefox

Issue Overview: An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox 128, Firefox ESR 115.13, Thunderbird 115.13, and Thunderbird 128...

Important: python2-setuptools

Issue Overview: A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptibl...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages CVE-2024-41011 In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix null pointer dereference on error...

Important: python2-setuptools

Issue Overview: A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptibl...

Important: kernel

Issue Overview: A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcpgetsockopt/tcpsetsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier...

Important: kernel-livepatch-5.10.220-209.869

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error CVE-2024-41087 Affected Packages: kernel-livepatch-5.10.220-209.869 Issue Correction: Please ensure you have live patching enabled. Run yum update...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: xen/events: close evtchn after mapping cleanup CVE-2024-26687 In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize CVE-2024-35807 Affected Packages: kernel...

Important: microcode_ctl

Issue Overview: Improper isolation in some IntelR Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-49141 Affected Packages: microcodectl Issue Correction: Run yum update microcodectl or yum update --advisory...

Important: amazon-cloudwatch-agent

Issue Overview: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability CVE-2024-35255 The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows...

Medium: microcode_ctl

Issue Overview: Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user to potentially enable denial of service via local access. CVE-2024-22374 Affected Packages: microcodectl Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository...

Medium: microcode_ctl

Issue Overview: Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user to potentially enable denial of service via local access. CVE-2024-22374 Affected Packages: microcodectl Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository...

Important: thunderbird

Issue Overview: Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. This vulnerability affects Firefox 129, Firefox ESR 115.14, Firefox ESR 128.1, Thunderbird 128.1, and Thunderbird...

Important: thunderbird

Issue Overview: Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. This vulnerability affects Firefox 129, Firefox ESR 115.14, Firefox ESR 128.1, Thunderbird 128.1, and Thunderbird...

Important: amazon-cloudwatch-agent

Issue Overview: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability CVE-2024-35255 The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows...

Medium: runc

Issue Overview: The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Affected Packages: runc Issue Correction: Run dnf update runc --releasev...

Medium: docker

Issue Overview: The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Affected Packages: docker Issue Correction: Run dnf update docker...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: prefer nftchainvalidate CVE-2024-41042 In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise numphys CVE-2024-42159 In the Linux kernel, the following...

Important: kernel-livepatch-4.14.348-265.565

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: kdb: Fix buffer overflow during tab-complete CVE-2024-39480 Affected Packages: kernel-livepatch-4.14.348-265.565 Issue Correction: Please ensure you have live patching enabled. Run yum update...

Medium: microcode_ctl

Issue Overview: Insufficient control flow management for some IntelR Xeon Processors may allow an authenticated user to potentially enable denial of service via local access. CVE-2024-22374 Affected Packages: microcodectl Issue Correction: Run dnf update microcodectl --releasever 2023.5.20240903 ...

Important: amazon-cloudwatch-agent

Issue Overview: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability CVE-2024-35255 The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread recvmsg/sendmsg may exit as soon as the async crypto handler calls complete. Reorder scheduling the wor...

Medium: nginx

Issue Overview: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngxhttpmp4module and...

Medium: nginx

Issue Overview: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngxhttpmp4module and...

Medium: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: prefer nftchainvalidate CVE-2024-41042 In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise numphys CVE-2024-42159 In the Linux kernel, the following...

Medium: runc

Issue Overview: The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 Affected Packages: runc Issue Correction: Run dnf update runc --releasev...